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82 Reports on Computer Systems Technology 

83 The Information Technology Laboratory (ITL) at the National Institute of Standards and 

84 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 

85 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 

86 methods, reference data, proof of concept implementations, and technical analyses to advance 

87 the development and productive use of information technology. ITL’s responsibilities include the 

88 development of management, administrative, technical, and physical standards and guidelines for 

89 the cost-effective security and privacy of other than national security-related information in 

90 federal infonnation systems. The Special Publication 800-series reports on ITL’s research, 

91 guidelines, and outreach efforts in information system security, and its collaborative activities 

92 with industry, government, and academic organizations. 

93 Abstract 

94 This publication describes the NICE Cybersecurity Workforce Framework (NCWF), the product 

95 of many years of collaboration regarding workforce training and education. NCWF provides a 

96 fundamental reference resource for describing and sharing information about cybersecurity work 

97 roles, the discrete tasks performed by staff within those roles, and the knowledge, skills, and 

98 abilities (KSAs) needed to complete the tasks successfully. As a common, consistent lexicon that 

99 categorizes and describes cybersecurity work, the NCWF improves communication about how to 

100 identify, recruit, develop, and retain cybersecurity talent. The NCWF is a resource from which 

101 organizations or sectors can develop additional publications or tools focused on defining or 

102 providing guidance on aspects of workforce development, planning, training, and education. 

103 Keywords 

104 Ability; cybersecurity; cyberspace; education; knowledge; role; skill; task; training; work role. 
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Executive Summary 


The National Initiative for Cybersecurity Education (NICE), led by the National Institute of 
Standards and Technology (NIST) in the U.S. Department of Commerce, is a partnership 
between government, academia, and the private sector working to energize and promote a robust 
network and an ecosystem of cybersecurity education, training, and workforce 
development. NICE fulfills this mission by coordinating with government, academic, and 
industry partners to build on existing successful programs, facilitate change and innovation, and 
bring leadership and vision to increase the number of skilled cybersecurity professionals helping 
to keep our nation secure. 

NICE is committed to cultivating an integrated cybersecurity workforce that is globally 
competitive from hire to retire, prepared to protect our nation from existing and emerging 
cybersecurity challenges. Despite increasing awareness and global focus on cybersecurity, many 
managers report a shortage of skilled cybersecurity workers and need assistance with hiring 
qualified staff to fill critical security gaps. To address these needs, this publication describes the 
NICE Cybersecurity Workforce Framework (NCWF). 

As the threats to cybersecurity and the protections implemented grow and evolve, a cybersecurity 
workforce must be prepared to adapt, design, develop, implement, maintain, measure, and 
understand all aspects of cybersecurity. A cybersecurity workforce includes not only technically 
focused staff but those who apply knowledge of cybersecurity and its inherent challenges when 
preparing their organization to successfully implement its mission. A knowledgeable and skilled 
cybersecurity workforce can implement and maintain protections and take actions to meet our 
nation’s needs. 

This publication serves as a fundamental reference to support a workforce capable of meeting an 
organization’s cybersecurity needs. It describes how the NCWF provides organizations with a 
common, consistent lexicon to categorize and describe cybersecurity work. The document 
defines the NCWF components, namely Categories, Specialty Areas, and Work Roles. Finally, it 
describes a superset of cybersecurity Tasks for each work role and the Knowledge, Skills, and 
Abilities (KSAs) demonstrated by a person whose cybersecurity position includes each work 
role. Based upon these components, the common lexicon provided by the NCWF enables 
consistent organization and communication about cybersecurity work. 

The NCWF can be viewed as a cybersecurity workforce dictionary, and consumers of the NCWF 
can reference it for different workforce development, education, and/or training purposes. For 
instance, it provides a starting point and helps set standards for developing academic pathways, 
career pathways, position descriptions, and training content. The NCWF helps to ensure our 
nation is able to educate, recruit, train, develop, and retain a highly qualified cybersecurity 
workforce. It serves several key audiences within the cybersecurity community including: 

• Employers, to help assess their cybersecurity workforce, identify critical gaps in 
cybersecurity staffing, and improve position descriptions; 

• Current and future employees, to help explore Tasks and Work Roles and assist with 
understanding the KSAs that are being valued by employers for in-demand cybersecurity 
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jobs and positions. The NCWF also enables staffing specialists and guidance counselors 
to use the NCWF as a resource to support these employees or job seekers; 

• Training and certification providers who desire to help current and future members of 
the cybersecurity workforce gain and demonstrate the KSAs; 

• Education providers who may use the NCWF as a reference to develop curriculum, 
courses, seminars, and research that cover the KSAs and Tasks described; and 

• Technology providers who can identify cybersecurity Work Roles and specific Tasks 
and KSAs associated with services and hardware/software products they supply. 

As a mechanism to organize information technology (IT), cybersecurity, and cyber-related work, 
the NCWF helps organizations to organize roles and responsibilities through the following 
components: 

• Categories - A high-level grouping of common cybersecurity functions; 

• Specialty Areas - Distinct areas of cybersecurity work; 

• Work Roles - The most detailed groupings of IT, cybersecurity, or cyber-related work, 
which include specific knowledge, skills, and abilities required to perform a set of tasks; 

• Tasks - Specific work activities that could be assigned to a professional working in one 
of the NCWF’s Work Roles; and 

• Knowledge, Skills, and Abilities (KSAs) - Attributes required to perfonn Tasks, 
generally demonstrated through relevant experience or performance-based education and 
training. 

The NCWF components work together to describe the range of cybersecurity work, from a high 
level to the very granular. Each Category contains Specialty Areas, each of which contains one 
or more Work Roles. Each Work Role is composed of numerous Tasks and KSAs. Providing this 
range of detail helps organizations to systematically build their cybersecurity workforce, which, 
in turn, enables improved performance, cost-effective workforce management, and continuous 
readiness. 

While some of the NCWF is based on federal government programs, any organization with 
cybersecurity workforce needs will benefit from the standards described and can customize the 
NCWF as needed. 

Using the NCWF as described above will help strengthen an organization’s cybersecurity 
workforce. Investment in the existing workforce, such as through initiatives focused on training 
and retaining existing talent, will help the organization to prepare for and realize its risk 
management objectives. The common language provided by the NCWF also helps bridge 
workforce needs to external frameworks, such as the Cybersecurity Framework (CSF) [3], the 
U.S. Department of Labor Competency Models [4], the U.S. Department of Education 
Employability Skills Framework [5], and the National Security Agency (NSA)/Department of 
Homeland Security (DHS) National Centers of Academic Excellence in Cyber Defense (CAE- 
CD) Knowledge Units [6]. 


v 


NIST SP 800-181 (Draft) NICE Cybersecurity Workforce Framework (NCWF) 

209 The NCWF builds upon decades of industry research into how to effectively manage the risks to 

210 valuable organizational electronic and physical information. Cybersecurity tactics are ever- 

211 changing, always identifying new ways to gain information advantage through technology. As 

212 we evolve, the ways we perform cybersecurity functions continue to evolve, as must the 

213 components of the NCWF. As part of an ongoing collaborative approach, NICE will periodically 

214 consider recommendations received and will update the NCWF publication(s). Additionally, new 

215 reference materials or tools will be developed to cross-reference elements of the NCWF. To the 

216 extent possible, digital reference materials will be posted to the NICE website as an aid to 

217 applying and utilizing NCWF and associated materials. 
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1 Introduction 


The National Initiative for Cybersecurity Education (NICE), led by the National Institute of 
Standards and Technology (NIST) in the U.S. Department of Commerce, is a partnership 
between government, academia, and the private sector working to energize and promote a robust 
network and an ecosystem of cybersecurity education, training, and workforce 
development. NICE fulfills this mission by coordinating with government, academic, and 
industry partners to build on existing successful programs, facilitate change and innovation, and 
bring leadership and vision to increase the number of skilled cybersecurity professionals helping 
to keep our nation secure. 

NICE is committed to cultivating an integrated cybersecurity workforce that is globally 
competitive from hire to retire, prepared to protect our nation from existing and emerging 
cybersecurity challenges. 

There are national activities that focus on using business drivers to guide cybersecurity activities 
and considering cybersecurity risks as part of the organization’s risk management processes. A 
skilled cybersecurity workforce is needed to meet the unique cybersecurity needs of critical 
infrastructure, enterprise, and operational technology systems and networks. As the threats to 
cybersecurity and the protections implemented grow and evolve, a cybersecurity workforce must 
be prepared to adapt, design, develop, implement, maintain, measure, and understand all aspects 
of cybersecurity. A cybersecurity workforce includes not only technically focused staff but those 
who apply knowledge of cybersecurity and its inherent challenges when preparing their 
organization to successfully implement its mission. A knowledgeable and skilled cybersecurity 
workforce can implement and maintain the protections and take actions to meet our nation’s 
needs. 

Today’s systems and networks are complex assemblages of technology (i.e., hardware, software, 
and firmware), processes, and people, working together to provide organizations with the 
capability to process, store, and transmit information in a timely, more secure manner to support 
various missions and business functions. The degree to which organizations have come to 
depend upon these systems and networks to conduct routine, important, and critical missions and 
business functions means that the protection of the underlying systems and environments of 
operation is paramount to the success of the organization. 

The selection of appropriate security and privacy controls for information systems continues to 
be an important task that can have significant implications on the operations and assets of an 
organization as well as the welfare of individuals. Finding qualified individuals with the 
Knowledge, Skills, And Abilities (KSAs) who can select, maintain, assess, implement, and 
upgrade the appropriate security and privacy controls is a challenge being addressed by more and 
more organizations who now understand that cybersecurity risks need to be addressed by a 
capable and ready cybersecurity workforce. 

Understanding how to develop and maintain a workforce that allows an organization to focus on 
the cybersecurity risks to its operations and assets, to individuals, to other organizations, and to 
the nation is vital. A prepared cybersecurity workforce is also essential in a globally 
interconnected digital information and communications infrastructure that underpins almost 
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311 every facet of modern society and provides critical support for the U.S. economy, civil 

312 infrastructure, public safety, and national security. 

313 1.1 NCWF Background 

314 The concept for the NCWF began before the establishment of NICE and grew out of the 

315 recognition that the cybersecurity workforce (federal and private industry) could not be 

316 measured, and that the roles needed to support our nation’s cybersecurity were undefined. To 

317 combat this challenge, the Federal Chief Information Officers (CIO) Council was tasked in 2008 

318 to provide a standard framework to understand the cybersecurity roles within the federal 

319 government. 

320 In 2008, the Federal CIO Council produced a research report that referenced where other 

321 information technology professional development efforts were also under way, and specific roles 

322 were identified as needed by agencies to conduct cybersecurity work. 

323 In 2011, thirteen roles were identified and published by the Federal CIO Council. This content 

324 was created with input from focus groups with subject-matter experts from numerous federal 

325 agencies. 

326 Building on this work, the first version of the NCWF was posted for public comment in 

327 September 2011. The comments were incorporated into a version that became the basis of 

328 cybersecurity functional codes by the Office of Personnel Management (OPM) in 2013. Use of 

329 these codes enabled federal agencies to identify the cybersecurity workforce, determine baseline 

330 capabilities, examine hiring trends, identify skill gaps, and more effectively recruit, hire, 

331 develop, and retain a valuable cybersecurity workforce. 

332 A government-wide review of that first version of the NCWF provided an opportunity for other 

333 organizations to comment and recommend edits. The Department of Homeland Security (DHS) 

334 analyzed this input and validated final recommendations via focus groups with subject-matter 

335 experts from around the country and across private industry, academia, and government. 

336 A key focus of DHS’ focus groups was to gather equal input across industry sectors to ensure 

337 that the NCWF is applicable across the nation and not just to government agencies. The resulting 

338 second version of the NCWF was drafted, validated, and published in 2014. 

339 Since 2014, the Department of Defense (DoD) further refined the NCWF and added the Work 

340 Roles - which are provided for the first time in this publication - to add more specificity and to 

341 help organizations better associate cybersecurity positions with the NCWF. DoD developed the 

342 Work Roles with input from private industry and government, and DHS refined them to ensure 

343 private sector and civilian government applicability. 
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344 1.2 Purpose and Applicability 

345 The purpose of this publication is to provide a fundamental reference resource to support a 

346 workforce capable of meeting an organization’s cybersecurity needs by: 


347 • Providing organizations with a common, consistent lexicon that categorizes and describes 

348 cybersecurity work; 


349 • Organizing cybersecurity work into seven high-level Categories and over 50 Work Roles 

350 within those seven Categories; 


351 • Offering a superset of Tasks for each Work Role; and 


352 • Offering a superset list of Knowledge, Skills, and Abilities (KSAs) for each work role. 


353 Using the NCWF as a reference resource will improve the communication about cybersecurity 

354 needed to identify, recruit, and develop talent. The NCWF will allow employers to use more 

355 focused, consistent language in professional development programs, in their use of industry 

356 certifications, and in their selection of relevant training opportunities for their workforce. 


357 The NCWF facilitates the use of a more consistent, comparable, and repeatable approach to 

358 select and specify cybersecurity roles for positions within organizations. It also provides a 

359 common lexicon that academic institutions can use to develop cybersecurity curricula that better 

360 prepares students for current and anticipated cybersecurity workforce needs. 

361 The application of the NCWF as a resource is meant to offer the ability to describe all 

362 cybersecurity work. An applicability goal of the NCWF is that any cybersecurity job or position 

363 can be described by identifying the relevant components identified within the NCWF. Context of 

364 the mission or business processes being supported by that job or position will drive which 

365 components are selected from within the NCWF. This document does not seek to provide a 

366 definition of cyber security, since the use of that term varies depending upon an organization’s 

367 mission or business context. 


368 The NCWF is a resource from which organizations or sectors can develop additional 

369 publications or tools focused on defining or providing guidance on aspects of workforce 

370 development, planning, training, and education. 

371 1.3 Audience/NCWF Consumers 

372 The NCWF can be viewed as a cybersecurity workforce dictionary, and consumers of the NCWF 

373 will reference it for different workforce development, education, or training purposes. The 

374 NCWF is an essential resource that will help to ensure that our nation can educate, recruit, train, 

375 develop, and retain a highly qualified cybersecurity workforce. 

376 1.3.1 Employers 

377 Use of the common lexicon within the NCWF enables employers to establish standards for 

378 inventorying and developing their cybersecurity workforce. The NCWF can be used by 

379 employers and organizational leadership to: 
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380 

381 

382 

383 

384 

385 

386 

387 

388 


389 

390 

391 

392 

393 

394 

395 

396 

397 

398 

399 

400 

401 

402 
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404 


• Inventory and track their cybersecurity workforce to gain a greater understanding of the 
strengths and gaps in Knowledge, Skills, and Abilities and Tasks performed; 

• Identify training and qualification requirements to develop critical Knowledge, Skills, 
and Abilities to perform cybersecurity Tasks; 

• Improve position descriptions and job vacancy announcements by using specific Work 
Roles from the NCWF and selecting relevant KSAs and Tasks; and 

• Identify the most relevant Work Roles and develop career paths to guide staff in gaining 
the requisite skills for those roles. 

Figure 1 illustrates how the NCWF helps to build a strong cybersecurity workforce. 



Figure 1 - Building Blocks for a Capable and Ready Cybersecurity Workforce 

As shown, several key inputs improve the benefits and value of the NCWF for a capable and 
ready cybersecurity workforce: 

• A common lexicon supports consistent use of terminology by educators, employers, and 
employees. 

• Criticality Analysis helps to identify those Tasks and KSAs that form a baseline set (i.e., 
that are key to multiple Work Roles or to specific role-based training). The analysis also 
helps identify those Tasks and KSAs that are critical for successful performance with a 
given Work Role. 

• Proficiency Analysis supports understanding of the expectation of the level to which a 
person in a Work Role exhibits the KSAs described. For example, someone in a given 
Work Role may exhibit varied understanding and ability as that worker progresses from 
entry-level to expert. Proficiency considerations are an important workforce 
consideration and are included in the additional concepts for future consideration in the 
NCWF, as described in Section 4.1. 
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405 1.3.2 Current and Future Cybersecurity Workers 

406 The NCWF supports those in the cybersecurity field and those who might wish to enter the 

407 cybersecurity field, to explore Tasks within cybersecurity Categories and Work Roles. It also 

408 assists those who support these workers, such as staffing specialists and guidance counselors, to 

409 help job seekers and students understand which cybersecurity Work Roles and which associated 

410 Knowledge, Skills, and Abilities are being valued by employers for in-demand cybersecurity 

411 jobs and positions. 

412 These workers are further supported when vacancy announcements and open position 

413 descriptions use the common lexicon of the NCWF, providing clear and consistent descriptions 

414 of the cybersecurity tasks and training that are likely to be needed for those positions. 

415 When training providers and industry certification providers use the common lexicon of the 

416 NCWF, those in the cybersecurity field, or those who might wish to enter the cybersecurity field, 

417 can find training and/or certification providers that can help them leam the tasks necessary to 

418 secure a cybersecurity job or to progress into new positions. Use of the common lexicon helps 

419 students and professionals to obtain KSAs that are typically demonstrated by a person whose 

420 cybersecurity position includes a given Work Role. This understanding helps them seek out 

421 academic programs that include learning outcomes and knowledge units that map to the KSAs 

422 and Tasks that are valued by employers. 

423 1.3.3 Educators/Trainers 

424 The NCWF provides a reference for educators to develop curriculum, training programs, 

425 courses, seminars, and exercises or challenges that cover the KSAs and Tasks described in the 

426 NCWF. 


427 Staffing specialists and guidance counselors can use the NCWF as a resource for career 

428 exploration. 

429 1.3.4 Technology Providers 

430 The NCWF allows a technology provider to identify the cybersecurity Work Roles and the Tasks 

431 and KSAs associated with hardware and software products and services they provide. 

432 1.4 Organization of this Special Publication 


433 The remainder of this special publication is organized as follows: 


434 

435 

436 


• Chapter Two defines the components of the NCWF: (i) Categories; (ii) Specialty Areas; 
(iii) Work Roles; (iv) associated supersets of Tasks; and (v) Knowledge, Skills, and 
Abilities for each Work Role. 


437 • Chapter Three shows the application of the NCWF through cross-walk illustrations with 

438 applicable external models. 


439 • Chapter Four describes the process by which revisions to the NCWF will be periodically 

440 addressed. 
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441 

442 

443 

444 

445 


• Appendix A describes the NCWF list of Categories, Specialty Areas, Work Roles, Tasks, 
and KSAs. 

• Appendix B provides a detailed listing of each Work Role, including the associated Tasks 
and KSAs. 

• Additional appendices describe applicable acronyms and references. 
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2 NCWF Components and Relationships 


2.1 Components of the NCWF 

The NCWF organizes information technology (IT), cybersecurity, and cyber-related work. This 
section introduces and defines the core components of the NCWF in support of those areas. 

2.1.1 Categories 

Categories provide the overarching organizational structure of the NCWF. There are seven 
Categories and all are composed of Specialty Areas and Work Roles. This organizing structure is 
based on extensive job analyses that groups together work and workers that share common major 
functions, regardless of job titles or other occupational terms. 

2.1.2 Specialty Areas 

Categories contain groupings of cybersecurity work, which are called Specialty Areas. There 
were 31 Specialty Areas called out in NCWF version 1.0 JTJ and 32 in NCWF version 2.0 [2], 
Each specialty area represents an area of concentrated work, or function, within cybersecurity. 
Those previous versions of the NCWF provided the typical Tasks and Knowledge, Skills and 
Abilities (KSAs) within each specialty area. Specialty Areas in a given Category are typically 
more similar to one another than to Specialty Areas in other Categories. In this publication, 

Tasks and KSAs are now connected with the Work Roles defined in Appendix A. 

2.1.3 Work Roles 

Work Roles are the most detailed groupings of IT, cybersecurity, or cyber-related work. These 
roles include lists of knowledge, skills, and abilities that a person must have to perform a set of 
functions or tasks. 

For members of the cybersecurity workforce, work being performed is described by selecting 
one or more Work Roles from the NCWF relevant to that job or position, in support of mission 
or business processes. 

To aid in the organization and communication about cybersecurity responsibilities, Work Roles 
are grouped into specific classes of categories and specialty areas, as described below. 

2.1.4 Tasks 

Every Work Role requires an individual to perform certain duties, or Tasks. Tasks are examples 
of the type of work that could be assigned to a professional working in one of the NCWF’s Work 
Roles. 

2.1.5 Knowledge, Skills, and Abilities 

Knowledge, Skills, and Abilities (KSAs) are the attributes required to perform a job and are 
generally demonstrated through relevant experience, education, or training. The NCWF 
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associates KSAs with Work Roles to clearly define the qualifying experience or capabilities 
needed to successfully perform the tasks or functions associated with a given Role. 

2.2 NCWF Component Relationships 

Various NCWF components work together to describe the information technology (IT), 
cybersecurity, and cyber-related work. As illustrated in Figure 2, each Category is supported by 
Specialty Areas, each of which is supported by one or more Work Roles. Each Work Role, in 
turn, is composed of numerous discrete Tasks and associated KSAs. Notably, KSAs numbered 
K0001 through K0006 are core to all cybersecurity activities and apply to every Work Role. 

Grouping components in this manner helps to organize the Work Roles and related Tasks and 
KSAs, simplifies communicating about cybersecurity topics, and helps with alignment to 
external frameworks. Specific associations of Work Roles to Tasks, Knowledge, Skills, and 
Abilities are described in Appendix B. 



Figure 2 - Relationships among NCWF Components 
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3 Applying the NCWF 


Application of the various components, as described in Section 2, enables the organization to 
achieve a broad array of benefits. Using the NCWF to understand organizational needs and 
assess the extent to which those needs are met, helps the organization to plan, implement, and 
monitor a successful cybersecurity program. The following topics illustrate how to apply the 
NCWF to achieve these business purposes, ensuring effective performance, cost-effective 
workforce management, and continuous cybersecurity readiness. While several of the examples 
are based upon a strategy that is specific to federal government programs, any organization with 
cybersecurity workforce needs will benefit from the principles described. The following topics 
are helpful to all those involved in cybersecurity workforce development. 

3.1 Identification of Cybersecurity Workforce Needs 

With technology becoming a critical element of nearly every part of society, cybersecurity is a 
rapidly changing and expanding field. This expansion requires a cadre of skilled workers to help 
organizations perform cybersecurity functions. As organizations identify what is needed to 
manage risk adequately, both now and in the future, leaders need to consider the workforce 
capabilities and capacity needed. 

The DHS Cybersecurity Workforce Development Toolkit (CWDT) [9] - which provides tools 
and guidance to help organizations understand and build their cybersecurity workforce - 
describes the first step in preparing to build your cybersecurity workforce as having a shared 
vision for organizing your cybersecurity workforce against cybersecurity work. Having a 
common understanding supports leaders in responding to changing environments - giving you 
data to better adjust resources, see patterns of work, and highlight areas of potential risk. This 
understanding is especially important in the ever-changing environment of cybersecurity. The 
CWDT includes a Cybersecurity Workforce Planning Capability Maturity Model (CMM), a self- 
assessment tool to help organizations evaluate the maturity of their cybersecurity workforce 
planning capability. 

Once the organization has determined cybersecurity requirements (such as through a 
cybersecurity audit or an internal self-assessment), the NCWF helps specify the Work Roles and 
Tasks that will help fulfill those. While general terms, such as “cyber professionals,” have 
historically been used to measure needs, the specificity provided by NCWF provides a better 
approach to describe the dozens of discrete job functions needed. By defining the required and 
available competencies of resources, and by identifying gaps between required and available 
skills, the organization can identify critical needs. NCWF helps an organization to answer the 
following questions, drawn from the Baldrige Cybersecurity Excellence Builder Tool f 101, 
regarding maintenance of an effective and supportive workforce environment to achieve its 
cybersecurity goals: 

• How do you assess your workforce capability and capacity needs related to 
cybersecurity? 

• How do you organize and manage your cybersecurity workforce to establish roles and 
responsibilities? 


9 





533 

534 

535 

536 

537 

538 

539 

540 

541 

542 

543 

544 

545 

546 

547 

548 

549 

550 

551 

552 

553 

554 

555 

556 

557 

558 

559 

560 

561 

562 

563 

564 

565 

566 

567 

568 

569 

570 

571 


NIST SP 800-181 (Draft) 


NICE Cybersecurity Workforce Framework (NCWF) 


• How do you prepare your workforce for changing cybersecurity capability and capacity 
needs? 

The cybersecurity landscape is always evolving, so the NCWF helps to provide continuous 
monitoring of these needs as part of a proactive risk management approach. 

3.2 Education and Training of Cybersecurity Workforce Members 

Access to information security education and training has grown significantly in recent years, 
partly due to efforts by the federal government to improve and expand formal cybersecurity 
education programs. Despite this success, many organizations continue to find that such 
programs are not adequately preparing students to support the needs described by the Work 
Roles. The NCWF, through its consistent lexicon, helps educators to prepare students with the 
specific Knowledge, Skills, and Abilities that should be demonstrated by a person whose 
cybersecurity position includes those Work Roles. 

Academic institutions are a critical part of preparing and educating the cybersecurity workforce. 
Collaboration among public and private entities, such as through the NICE program, enable such 
institutions to determine common knowledge and abilities that are needed. In turn, developing 
and delivering curricula that are harmonized with the NCWF lexicon allows institutions to better 
prepare students for filling employers’ cybersecurity positions. As the pipeline of students 
finding desired jobs in cybersecurity increases, more students will be attracted to academic 
cybersecurity programs as a reliable pathway to a career. An example of such success is the 
NSA/DHS National Centers of Academic Excellence in Cyber Defense (CAE-CD) Program 
Office, which developed a mapping document f61 that demonstrates a relationship between the 
CAE-CD Knowledge Units and the NCWF. 

3.3 Recruitment and Hiring of Highly Skilled Cybersecurity Talent 

As relevant cybersecurity assessments (e.g., information security audits) inform the organization 
about risk management priorities, and in response to the workforce assessment described in 
Section 3.1, application of NCWF will help organizations to accomplish better strategic 
workforce planning and hiring. NCWF definitions may be used to create or revise position 
descriptions that consistently portray the Work Roles, and the lexicon helps candidates to 
accurately seek out specific positions for which they are interested and qualified. Through the 
use of NCWF Task definitions to describe job duties and responsibilities, and the use of NCWF 
KSAs to describe the position’s needed skills and qualifications, candidates and hiring managers 
will gain a consistent understanding of expectations. Application of these criteria also helps to 
develop evaluation criteria for vetting and approving candidates. 

The DHS CMSI PushbuttonPD™ Tool fill allows managers, supervisors, and HR specialists to 
rapidly draft a federal employee Position Description (PD) without the need for extensive 
training or prior knowledge of position classification. It is designed to present language from 
multiple, mission-critical authoritative sources and standards for duties, tasks, and KSAs, rapidly 
capture the hiring official’s requirements, and present them in a robust hiring package that can be 
easily integrated into existing agency HR processes. 
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Application of the NCWF is not restricted to external hiring. Because it supports specific training 
recommendations and performance measurement capability, the framework assists organizations 
with retraining existing staff to take on cybersecurity Work Roles. NCWF may also support 
organizations’ ability to temporarily or permanently obtain external staff augmentation to fill 
those gaps that were identified in Section 3.1, and/or may be able to obtain external resources 
that can support education and training to ensure that internal candidates end up with the 
necessary knowledge and skills. 

3.4 Retention and Development of Highly Skilled Cybersecurity Talent 

A critical aspect of a skilled cybersecurity workforce involves the retention and development of 
the skilled talent already onboard. A current employee has existing relationships, institutional 
knowledge, and organizational experience that is hard to replace. Refilling a position after an 
employee leaves often brings new advertising and hiring costs, expenses for training, diminished 
productivity, and reduced morale. The DFIS CWDT [9] offers profiles as a guide to focuses on 
retaining staff at every level whether entry level, mid-career or seasoned cybersecurity 
professionals. The following list illustrates some of the ways that NCWF supports retention and 
development of cybersecurity talent: 

• Since some personnel recognize that cybersecurity is an exciting and technical field, the 
broad range of Work Roles and Specialty Areas provides a range of cybersecurity 
functions to which they might aspire and work to attain. 

• While some organizations have been able to attract cybersecurity talent, the ability to 
retain such talent will depend, in part, on the ability to offer a progressively challenging 
and evolving set of Work Roles, such as those enumerated by the NCWF. 

• The detailed understanding of the Tasks and KSAs helps existing staff to understand the 
specific steps needed to develop their capabilities, promoting readiness for a particular 
desired position. The organization might even rotate staff into such positions to develop 
skills in a particular set of KSAs. 

• Understanding of the Tasks and KSAs helps organizations to identify group training 
opportunities that will help prepare numerous staff members to perform duties in 
particular Categories, Specialty Areas, and Work Roles. 

• KSAs help organizations to understand which technical abilities will help a person in a 
position that includes specific cybersecurity Work Roles. Building upon the value of 
knowledge-based certifications, organizations may be able to use training and 
examinations that are based on cybersecurity skills and abilities, such as those that 
evaluate KSA proficiency in a realistic environment. 

• Considering the gaps identified in Section 3.1, the organization can use existing 
personnel to fill critical cybersecurity staffing needs, leveraging the ability to review 
resumes of existing staff to identify those with desirable KSAs. 

• Organizations can identify personnel that are diligent in improving KSAs in relevant 
areas, rewarding those who perform well and developing improvement plans for those 
needing work in particular areas of ability. 
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• The NCWF is helpful for existing employees who desire to move into a cybersecurity 
Work Role from another position (e.g., a reliable employee in a non-cybersecurity work 
role that is being phased out, or a worker in a position that’s less challenging than 
desired.) Through identification of a challenging career path, such an employee may be 
invigorated by the new opportunity, armed with an understanding of what KSAs will help 
prepare them for the new role. 

Using the NCWF as described above will help strengthen the organization’s cybersecurity 
workforce. Investment in the existing workforce, such as through initiatives focused on training 
and retaining existing talent, will help the organization to prepare for and realize its risk 
management objectives. 

3.5 Cybersecurity Framework (CSF) 

In 2014, NIST released the Framework for Improving Critical Infrastructure Cybersecurity [3], 
commonly referred to as the Cybersecurity Framework (CSF). Developed in response to 
Executive Order (EO) 13636 [121, the CSF was created to provide a performance-based and 
cost-effective approach to help organizations to identify, assess, and manage cybersecurity risk. 

It was built through a series of public workshops that were convened by NIST to better 
understand what standards and methodologies are helpful for achieving effective risk 
management, and how voluntary existing good practices might be implemented to improve 
cybersecurity. 

CSF is composed of three parts: Framework Core, Framework Implementation Tiers, and 
Framework Profiles. Each component reinforces the connection between business drivers and 
cybersecurity activities. The most relevant part of CSF to NCWF is the Framework Core. The 
Core’s elements work together as follows: 

• Functions organize basic cybersecurity activities at their highest level. These functions - 
Identify, Protect, Detect, Respond, and Recover - are described in further detail below. 

• Categories are the subdivisions of a Function into groups of cybersecurity outcomes 
closely tied to programmatic needs and particular activities. 

• Subcategories further divide a Category into specific outcomes of technical and/or 
management activities. They provide a set of results that, while not exhaustive, help to 
support achievement of the outcomes in each Category. 

• Informative References are specific sections of standards, guidelines, and practices 
common among critical infrastructure sectors that illustrate a method to achieve the 
outcomes associated with each Subcategory. The Informative References presented in the 
Framework Core are illustrative and not exhaustive. They are based upon cross-sector 
guidance most frequently referenced during the Framework development process. 

A companion document, the NIST Roadmap for Improving Critical Infrastructure Cybersecurity 
[131, discusses key areas of CSF development and alignment, including industry collaboration. 

Its plans are based on feedback received from stakeholders throughout the development process, 
including elements that impact cybersecurity workforce organization and communication. The 
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651 roadmap points to the need for a skilled cybersecurity workforce to meet the unique 

652 cybersecurity needs of critical infrastructure. It recognizes that, as the cybersecurity threat and 

653 technology environments evolve, the workforce must continue to adapt to design, develop, 

654 implement, maintain, and continuously improve the necessary cybersecurity practices. 

655 The Core Functions each contribute to a high-level understanding of the cybersecurity needs of 

656 the organization: 


657 

658 

659 

660 

661 

662 

663 

664 

665 

666 
667 


• Identify (ID) - Develop the organizational understanding to manage cybersecurity risk to 
systems, assets, data, and capabilities. 

• Protect (PR) - Develop and implement the appropriate safeguards to ensure delivery of 
critical infrastructure services. 

• Detect (DE) - Develop and implement the appropriate activities to identity the 
occurrence of a cybersecurity event. 

• Respond (RS) - Develop and implement the appropriate activities to take action 
regarding a detected cybersecurity event. 

• Recover (RC) - Develop and implement the appropriate activities to maintain plans for 
resilience and to restore any capabilities or services that were impaired due to a 
cybersecurity event. 


668 In many ways, these Functions correlate to the NCWF Categories. Table 1 describes the 

669 relationships among the CSF Functions and NCWF Categories. 
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670 Table 1 - Crosswalk of NCWF Workforce Categories to CSF Functions 


NCWF Category 

Category Description 

Related CSF Function(s) 

Securely Provision 
(SP) 

Conceptualizing, designing, and building 
secure information technology (IT) systems, 
with responsibility for some aspect of the 
systems' development. 

Identify (ID), Protect (PR) 

Operate and 

Maintain (OM) 

Providing the support, administration, and 
maintenance necessary to ensure effective 
and efficient information technology (IT) 
system performance and security. 

Protect (PR), Detect (DE) 

Oversee and Govern 
(OV) 

Specialty Areas responsible for providing 
leadership, management, direction, or 
development and advocacy so that the 
organization may effectively conduct 
cybersecurity work. 

Identify (ID), Protect (PR), 

Detect (DE), Recover (RC) 

Protect and Defend 
(PR) 

Specialty Areas responsible for identifying, 
analyzing, and mitigating threats to internal 
information technology (IT) systems or 
networks. 

Protect (PR), Detect (DE), 
Respond (RS) 

Analyze (AN) 

Specialty Areas responsible for highly 
specialized review and evaluation of 
incoming cybersecurity information to 
determine its usefulness for intelligence. 

Identify (ID), Detect (DE), 
Respond (RS) 

Collect and Operate 
(CO) 

Specialty Areas responsible for specialized 
denial and deception operations and 
collection of cybersecurity information that 
may be used to develop intelligence. 

Detect (DE), Protect (PR), 
Respond (RS) 

Investigate (IN) 

Specialty Areas responsible for investigating 
cybersecurity events or crimes related to 
information technology (IT) systems, 
networks, and digital evidence. 

Detect (DE), Respond (RS), 
Recover (RC) 


671 3.5.1 Example Integration of CSF with NCWF 

672 While the CSF and the NCWF were developed separately, each complements the other by 

673 describing a hierarchical approach to achieving cybersecurity goals. Consider the following 

674 example: 

675 CSF’s Detect function includes a category of Security Continuous Monitoring (DE.CM). The 

676 category includes a subcategory, DE.CM-1, pointing to an outcome of, “The network is 

677 monitored to detect potential cybersecurity events.” While CSF describes this outcome, and 

678 provides several informative references regarding the security controls to achieve it, CSF does 

679 not provide any informative guidance regarding whom should be responsible for attaining the 

680 outcome, or what KSAs would apply. 
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681 Reviewing the NCWF, we identify the Cybersecurity Defense Incident Responder (PR-IR- 

682 001) role in the Protect and Defend (PR) category, Incident Response (IR) specialty area. We 

683 can review the description of this role to ensure that it aligns with the CSF DE.CM-1 outcome: 

684 Responds to disruptions within the pertinent domain to 

685 mitigate immediate and potential threats. Uses mitigation, 

686 preparedness, and response and recovery approaches to 

687 maximize survival of life, preservation of property, and 

688 information security. Investigates and analyzes relevant 

689 response activities and evaluates the effectiveness of and 

690 improvements to existing practices. 

691 Investigates, analyzes, and responds to cybersecurity 

692 incidents within the network environment or enclave. 

693 We learn from Appendix A of this document that the person whose position includes this Work 

694 Role might be expected to perform many of the following Tasks, which align with the desired 

695 CSF outcome: 

696 • T0041 - Coordinate and provide expert technical support to enterprise-wide cybersecurity 

697 defense technicians to resolve cybersecurity defense incidents. 

698 • T0047 - Correlate incident data to identify specific vulnerabilities and make 

699 recommendations that enable expeditious remediation. 

700 • T0161 - Perform analysis of log files from a variety of sources (e.g., individual host logs, 

701 network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify 

702 possible threats to network security. 

703 • T0163 - Perform cybersecurity defense incident triage, to include detennining scope, 

704 urgency, and potential impact; identifying the specific vulnerability; and make 

705 recommendations that enable expeditious remediation. 

706 • T0170 - Perform initial, forensically sound collection of images and inspect to discern 

707 possible mitigation/remediation on enterprise systems. 

708 • T0175 - Perform real-time cybersecurity defense incident handling (e.g., forensic 

709 collections, intrusion correlation and tracking, threat analysis, and direct system 

710 remediation) tasks to support deployable Incident Response Teams (IRTs). 

711 • T0214 - Receive and analyze network alerts from various sources within the enterprise 

712 and determine possible causes of such alerts. 

713 • T0233 - Track and document cybersecurity defense incidents from initial detection 

714 through final resolution. 

715 • T0246 - Write and publish cybersecurity defense techniques, guidance, and reports on 

716 incident findings to appropriate constituencies. 

717 • T0262 - Employ approved defense-in-depth principles and practices (e.g., defense-in- 

718 multiple places, layered defenses, security robustness). 
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719 

720 

721 

722 

723 

724 

725 

726 


• T0278 - Collect intrusion artifacts (e.g., source code, malware, Trojans) and use 
discovered data to enable mitigation of potential cybersecurity defense incidents within 
the enterprise. 

• T0279 - Serve as technical expert and liaison to law enforcement personnel and explain 
incident details as required. 

• T0312 - Coordinate with intelligence analysts to correlate threat assessment data. 

• T0333 - Perform cybersecurity defense trend analysis and reporting. 

• T0395 - Write and publish after-action reviews. 


727 

728 

729 

730 


• T0503 - Monitor external data sources (e.g., cybersecurity defense vendor sites, 

Computer Emergency Response Teams, Security Focus) to maintain the currency of 
cybersecurity defense threat condition and detennine which security issues may have an 
impact on the enterprise. 


731 • T0510 - Coordinate incident response functions. 


732 Furthermore, from Appendix B, we can leam the broad range of KSAs that might be needed by 

733 a person whose cybersecurity position includes this Work Role. 


734 Armed with this information, an organization seeking to achieve the outcome described by CSF 

735 DE.CM-1 may determine whether one or more existing staff have the necessary skills to 

736 complete the tasks described. If one or more KSAs are lacking, the employee desiring to fill that 

737 Work Role will know specifically what areas need improvement and can seek academic classes 

738 or industry training to gain the necessary knowledge. If no such staff are found, the employer has 

739 specific Task descriptions and KSA requirements that may be advertised in a job posting, or that 

740 may be used for contractor staff to augment existing personnel. 
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Future Revision Process 


The NCWF builds upon decades of industry research into how to effectively manage the risks to 
valuable organizational electronic and physical information. Through the years, the industry that 
has been referred to as computer security, information security, and now cybersecurity has been 
supported by dedicated workers supporting an evolving set of Work Roles, Tasks, and KSAs. 
Cybersecurity tactics are ever-changing, always identifying new ways to gain information 
advantage through technology. As we evolve the ways we perform cybersecurity functions, so 
must the components of the NCWF continue to evolve. 

NCWF users are encouraged to provide feedback and comments through the Workforce 
Framework page at the NICE project website \ 141 . As part of an ongoing collaborative approach, 
NICE will periodically consider the current set of recommendations for expansion, 
update/correction, withdrawal, or integration of NCWF elements. The program will work to 
achieve consensus on these recommended changes, drawing on public and private sector input 
including that of federal cybersecurity workforce and education leadership, and the NCWF 
publication will be updated accordingly. This approach provides an ongoing set of NCWF 
elements that are stable, flexible, and technically sound for use as a reference for workforce 
training and educational needs. 

Additionally, new reference materials will be developed to cross-reference elements of the 
NCWF. To the extent possible, digital reference materials will be posted to the NICE website as 
an aid to applying and utilizing NCWF and associated materials. 

4.1 Additional Concepts for Future Consideration 

Several work-related elements have been raised at various discussions and, while not currently 
integrated into the NCWF, are areas that are likely to be the subject of further research and 
guidance. The areas of further investigation are: 

• System Security Engineering (SSE) - Many elements of systems security engineering 
(a specialty engineering discipline of systems engineering) contribute to a fully 
integrated, system-level perspective of cybersecurity. Additional research will be 
conducted to ensure that the Tasks and KSAs described fully support the SSE lifecycle 
described in Draft NIST Special Publication (SP) 800-160, Systems Security Engineering 
- Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy 
Secure Systems [15], SP 800-160 describes how SSE “helps to ensure that the appropriate 
security principles, concepts, methods, and practices are applied during the system life 
cycle to achieve stakeholder objectives for the protection of assets across all forms of 
adversity characterized as disruptions, hazards, and threats; to reduce security 
vulnerability and therefore, reduce susceptibility to adversity; and to provide a sufficient 
base of evidence that supports claims that the desired level of trustworthiness has been 
achieved — that is, a level of trustworthiness that the agreed-upon asset protection needs 
of stakeholders can be adequately satisfied on a continuous basis despite such adversity.” 
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• Relationship of Job Title to Work Role - Job titles are a description of an employee’s 
job or position in the organization. Job titles vary from organization to organization. 
Rather than looking to job titles as a means to determine that a position is in the 
cybersecurity field, it may be beneficial to look at Tasks as a means to identify the 
cybersecurity Work Roles that are being performed. For the federal government, 
development of a dedicated cybersecurity job series may enable easier translation 
between the NCWF and job titles. It would also make it easier to inventory cybersecurity 
positions and target workforce development (e.g., hiring and incentives, training, 
retention programs). 

• Competency - Extensive work has been done to consider competency models which 
support NCWF participants in many ways. The Department of Labor’s Employment and 
Training Administration [8] defines a competency as “the capability of applying or using 
knowledge, skills, abilities, behaviors, and personal characteristics to successfully 
perform critical work tasks, specific functions, or operate in a given role or position.” In 
addition to the enumeration of technical KSAs, competency models also consider 
behavioral indicators and describe nontechnical considerations such as Personal 
Effectiveness, Academic, and Workplace Competencies. Additional information about 
these considerations is available from the Department of Labor’s CareerOneStop Site. 

MI 

• Proficiency Levels and Career Paths - Beginner, Intermediate, and Senior/Expert 
proficiency levels can be described by exploring Experience & Credentials, 
Competencies Skills / and KSAs, and Training & Development Activities. The DHS 
CWDT includes a section known as ADVANCE, Develop Your People, that includes 
templates to create custom cybersecurity career paths; links to training, certifications and 
professional events; and ideas for retaining staff at every level. Individual sectors, 
associations, and organizations may wish to create their own publications on proficiency 
levels and career paths. 
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Appendix A—Listing of NCWF Elements 


807 A.1 NCWF Workforce Categories 

808 Table 2 provides a description of each Category described by the NCWF. Each includes an identifier (e.g., SP) that helps to quickly 

809 reference the Category and to support the creation of NCWF Work Role identifiers (see Table 4 - NCWF Work Roles). 


810 

811 

812 


813 Table 2 - NCWF Workforce Categories 


Categories 

Descriptions 

Securely Provision (SP) 

Conceptualizes, designs, and builds secure information technology (IT) 
systems, with responsibility for aspects of systems and/or networks 
development. 

Operate and Maintain (OM) 

Provides the support, administration, and maintenance necessary to 
ensure effective and efficient information technology (IT) system 
performance and security. 

Oversee and Govern (OV) 

Provides leadership, management, direction, or development and 
advocacy so the organization may effectively conduct cybersecurity 
work. 

Protect and Defend (PR) 

Identifies, analyzes, and mitigates threats to internal information 
technology (IT) systems and/or networks. 

Analyze (AN) 

Performs highly specialized review and evaluation of incoming 
cybersecurity information to determine its usefulness for intelligence. 

Collect and Operate (CO) 

Provides specialized denial and deception operations and collection of 
cybersecurity information that may be used to develop intelligence. 

Investigate (IN) 

Investigates cybersecurity events or crimes related to infonnation 
technology (IT) systems, networks, and digital evidence. 
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Note to Reviewers: The content listed in Appendix A and Appendix B is drawn from multiple sources. Feedback regarding the 
descriptions of each NCWF component, including Tasks and KSAs, is welcome. The authors also solicit input regarding additional 
Tasks that might be performed by workers in a particular Work Role, and associated KSAs. 
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815 A.2 NCWF Specialty Areas 

816 Table 3 provides a description of each of the NCWF Specialty Areas. As with the NCWF Categories, each Specialty Area includes an 

817 identifier (e.g., RM) that helps to quickly reference the area and further supports the creation of NCWF Work Role identifiers (see 

818 Table 4 - NCWF Work Roles). 

819 

820 Table 3 - NCWF Specialty Areas 


Categories 

Specialty Areas 

Specialty Area Descriptions 

Securely Provision 
(SP) 

Risk Management (RM) 

Oversees, evaluates, and supports the documentation, validation, assessment, and 
authorization processes necessary to assure that existing and new information 
technology (IT) systems meet the organization's cybersecurity and risk 
requirements. Ensures appropriate treatment of risk, compliance, and assurance 
from internal and external perspectives. 


Software Development (DEV) 

Develops and writes/codes new (or modifies existing) computer applications, 
software, or specialized utility programs following software assurance best 
practices. 


Systems Architecture (ARC) 

Develops system concepts and works on the capabilities phases of the systems 
development life cycle; translates technology and environmental conditions (e.g., 
law and regulation) into system and security designs and processes. 


Technology R&D (RD) 

Conducts technology assessment and integration processes; provides and 
supports a prototype capability and/or evaluates its utility. 


Systems Requirements Planning 
(RP) 

Consults with customers to gather and evaluate functional requirements and 
translates these requirements into technical solutions. Provides guidance to 
customers about applicability of information systems to meet business needs. 


Test and Evaluation (TE) 

Develops and conducts tests of systems to evaluate compliance with 
specifications and requirements by applying principles and methods for cost- 
effective planning, evaluating, verifying, and validating of technical, functional, 
and performance characteristics (including interoperability) of systems or 
elements of systems incoiporating IT. 


Systems Development (SYS) 

Works on the development phases of the systems development life cycle. 

Operate and Maintain 
(OM) 

Data Administration (DA) 

Develops and administers databases and/or data management systems that allow 
for the storage, query, and utilization of data. 


Knowledge Management (KM) 

Manages and administers processes and tools that enable the organization to 
identify, document, and access intellectual capital and information content. 
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Categories 

Specialty Areas 

Specialty Area Descriptions 


Customer Service and Technical 

Addresses problems; installs, configures, troubleshoots, and provides 


Support (TS) 

maintenance and training in response to customer requirements or inquiries (e.g., 
tiered-level customer support). 


Network Services (NET) 

Installs, configures, tests, operates, maintains, and manages networks and their 
firewalls, including hardware (e.g., hubs, bridges, switches, multiplexers, routers, 
cables, proxy servers, and protective distributor systems) and software that 
permit the sharing and transmission of all spectrum transmissions of information 
to support the security of information and information systems. 


Systems Administration (SA) 

Installs, configures, troubleshoots, and maintains server configurations 
(hardware and software) to ensure their confidentiality, integrity, and 
availability. Also, manages accounts, firewalls, and patches. Responsible for 
access control, passwords, and account creation and administration. 


Systems Analysis (AN) 

Conducts the integration/testing, operations, and maintenance of systems 
security. 

Oversee and Govern 

Legal Advice and Advocacy 

Provides legally sound advice and recommendations to leadership and staff on a 

(OV) 

(LG) 

variety of relevant topics within the pertinent subject domain. Advocates legal 
and policy changes, and makes a case on behalf of client via a wide range of 
written and oral work products, including legal briefs and proceedings. 


Training, Education, and 
Awareness (ED) 

Conducts training of personnel within pertinent subject domain. Develops, plans, 
coordinates, delivers and/or evaluates training courses, methods, and techniques 
as appropriate. 


Cybersecurity Management 
(MG) 

Oversees the cybersecurity program of an information system or network; 
including managing information security implications within the organization, 
specific program, or other area of responsibility, to include strategic, personnel, 
infrastructure, requirements, policy enforcement, emergency planning, security 
awareness, and other resources. 


Strategic Planning and Policy 
(PL) 

Develops policies and plans and/or advocates for changes in policy that supports 
organizational cyberspace initiatives or required changes/enhancements. 


Executive Cybersecurity 
Leadership (EX) 

Supervises, manages, and/or leads work and workers performing cybersecurity 
work 


Acquisition and Program/Project 
Management (PM) 

Applies knowledge of data, information, processes, organizational interactions, 
skills, and analytical expertise, as well as systems, networks, and information 
exchange capabilities to manage acquisition programs. Executes duties 
governing hardware, software, and information system acquisition programs and 
other program management policies. Provides direct support for acquisitions that 
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Categories 

Specialty Areas 

Specialty Area Descriptions 



use information technology (IT) (including National Security Systems), applying 
IT-related laws and policies, and provides IT-related guidance throughout the 
total acquisition life-cycle. 

Protect and Defend 
(PR) 

Cybersecurity Defense Analysis 
(DA) 

Uses defensive measures and information collected from a variety of sources to 
identify, analyze, and report events that occur or might occur within the network 
in order to protect information, information systems, and networks from threats. 

Cybersecurity Defense 
Infrastructure Support (INF) 

Tests, implements, deploys, maintains, reviews, and administers the 
infrastructure hardware and software that are required to effectively manage the 
computer network defense service provider network and resources. Monitors 
network to actively remediate unauthorized activities. 

Incident Response (IR) 

Responds to crises or urgent situations within the pertinent domain to mitigate 
immediate and potential threats. Uses mitigation, preparedness, and response and 
recovery approaches, as needed, to maximize survival of life, preservation of 
property, and information security. Investigates and analyzes all relevant 
response activities. 

Vulnerability Assessment and 
Management (VA) 

Conducts assessments of threats and vulnerabilities; determines deviations from 
acceptable configurations, enterprise or local policy; assesses the level of risk; 
and develops and/or recommends appropriate mitigation countermeasures in 
operational and nonoperational situations. 

Analyze 

(AN) 

Threat Analysis (TA) 

Identifies and assesses the capabilities and activities of cybersecurity criminals 
or foreign intelligence entities; produces findings to help initialize or support law 
enforcement and counterintelligence investigations or activities. 

Exploitation Analysis (XA) 

Analyzes collected information to identify vulnerabilities and potential for 
exploitation. 

All-Source Analysis (AN) 

Analyzes threat information from multiple sources, disciplines, and agencies 
across the Intelligence Community. Synthesizes and places intelligence 
information in context; draws insights about the possible implications. 

Targets (TD) 

Applies current knowledge of one or more regions, countries, non-state entities, 
and/or technologies. 

Language Analysis (LA) 

Applies language, cultural, and technical expertise to support information 
collection, analysis, and other cybersecurity activities. 

Collect and Operate 
(CO) 

Collection Operations (CL) 

Executes collection using appropriate strategies and within the priorities 
established through the collection management process. 

Cyber Operational Planning (PL) 

Performs in-depth joint targeting and cybersecurity planning process. Gathers 
information and develops detailed Operational Plans and Orders supporting 
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Categories 

Specialty Areas 

Specialty Area Descriptions 



requirements. Conducts strategic and operational-level planning across the full 
range of operations for integrated information and cyberspace operations. 


Cyber Operations (OP) 

Performs activities to gather evidence on criminal or foreign intelligence entities 
in order to mitigate possible or real-time threats, protect against espionage or 
insider threats, foreign sabotage, international terrorist activities, or to support 
other intelligence activities. 

Investigate 

(IN) 

Cyber Investigation (Cl) 

Applies tactics, techniques, and procedures for a full range of investigative tools 
and processes to include, but not limited to, interview and interrogation 
techniques, surveillance, counter surveillance, and surveillance detection, and 
appropriately balances the benefits of prosecution versus intelligence gathering. 


Digital Forensics (FO) 

Collects, processes, preserves, analyzes, and presents computer-related evidence 
in support of network vulnerability mitigation, and/or criminal, fraud, 
counterintelligence or law enforcement investigations. 
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821 A.3 NCWF Work Roles 

822 Table 4 provides a description of each of the Work Roles described by the NCWF. Each Work Role is identified by the Category and 

823 Specialty Area, followed by a sequential number (e.g., SP-RM-001 is the first Work Role in the SP Category, RM Specialty Area). 

824 Some of the Work Role Descriptions originate with external documents (e.g., Committee on National Security Systems Instruction 

825 [CNSSI] 4009) and include that infonnation in the description column. As described in Section 4, the NCWF will be periodically 

826 refreshed, with some Work Roles becoming deprecated, added, or modified to address changes to the cybersecurity workforce 

827 landscape. 

828 Table 4 - NCWF Work Roles 


Category 

Specialty Area 

Work Role 

NCWF ID 

Work Role Description 

Securely 

Provision 

(SP) 

Risk Management 
(RM) 

Authorizing 

Official/Designating 

Representative 

SP-RM-001 

Senior official or executive with the authority to formally 
assume responsibility for operating an information 
system at an acceptable level of risk to organizational 
operations (including mission, functions, image, or 
reputation), organizational assets, individuals, other 
organizations, and the Nation (CNSSI 4009). 



Security Control Assessor 

SP-RM-002 

Conducts independent comprehensive assessments of the 
management, operational, and technical security controls 
and control enhancements employed within or inherited 
by an information technology (IT) system to determine 
the overall effectiveness of the controls (as defined in 

NIST SP 800-37). 


Software 

Software Developer 

SP-DEV-001 

Develops, creates, maintains, and writes/codes new (or 


Development 

(DEV) 



modifies existing) computer applications, software, or 
specialized utility programs. 



Secure Software Assessor 

SP-DEV-002 

Analyzes the security of new or existing computer 
applications, software, or specialized utility programs and 
provides actionable results. 


Systems 

Architecture 

(ARC) 

Enterprise Architect 

SP-ARC-001 

Develops and maintains business, systems, and 
information processes to support enterprise mission 
needs; develops information technology (IT) rules and 
requirements that describe baseline and target 
architectures. 
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Category 

Specialty Area 

Work Role 

NCWF ID 

Work Role Description 



Security Architect 

SP-ARC-002 

Designs enterprise and systems security throughout the 
development life cycle; translates technology and 
environmental conditions (e.g., law and regulation) into 
security designs and processes. 


Technology R&D 
(RD) 

Research & Development 
Specialist 

SP-RD-001 

Conducts software and systems engineering and software 
systems research in order to develop new capabilities, 
ensuring cybersecurity is fully integrated. Conducts 
comprehensive technology research to evaluate potential 
vulnerabilities in cyberspace systems. 


Systems 
Requirements 
Planning (RP) 

Systems Requirements 
Planner 

SP-RP-001 

Consults with customers to evaluate functional 
requirements and translate functional requirements into 
technical solutions. 


Test and 

Evaluation (TE) 

System Testing and 
Evaluation Specialist 

SP-TE-001 

Plans, prepares, and executes tests of systems to evaluate 
results against specifications and requirements as well as 
analyze/report test results. 


Systems 

Development 

(SYS) 

Information Systems 

Security Developer 

SP-SYS-001 

Designs, develops, tests, and evaluates information 
system security throughout the systems development life 
cycle. 



Systems Developer 

SP-SYS-002 

Designs, develops, tests, and evaluates information 
systems throughout the systems development life cycle. 

Operate and 

Data 

Database Administrator 

OM-DA-OOl 

Administers databases and/or data management systems 

Maintain 

Administration 



that allow for the storage, query, and utilization of data. 

(OM) 

(DA) 

Data Analyst 

OM-DA-002 

Examines data from multiple disparate sources with the 
goal of providing new insight. Designs and implements 
custom algorithms, flow processes, and layouts for 
complex, enterprise-scale data sets used for modeling, 
data mining, and research purposes. 


Knowledge 

Management 

(KM) 

Knowledge Manager 

OM-KM-OOl 

Responsible for the management and administration of 
processes and tools that enable the organization to 
identify, document, and access intellectual capital and 
information content. 
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Category 

Specialty Area 

Work Role 

NCWF ID 

Work Role Description 


Customer Service 
and Technical 
Support (TS) 

Technical Support Specialist 

OM-TS-OOl 

Provides technical support to customers who need 
assistance utilizing client-level hardware and software in 
accordance with established or approved organizational 
process components (i.e., Master Incident Management 
Plan, when applicable). 

Network Services 
(NET) 

Network Operations 

Specialist 

OM-NET-OOl 

Plans, implements, and operates network 
services/systems, to include hardware and virtual 
environments. 

Systems 

Administration 

(SA) 

System Administrator 

OM-SA-OOl 

Installs, configures, troubleshoots, and maintains 
hardware and software, and administers system accounts. 

Systems Analysis 
(AN) 

Systems Security Analyst 

OM-AN-OOl 

Responsible for the analysis and development of the 
integration, testing, operations, and maintenance of 
systems security. 

Oversee and 

Govern 

(OV) 

Legal Advice and 
Advocacy (LG) 

Cyber Legal Advisor 

OV-LG-OOl 

Provides legal advice and recommendations on relevant 
topics related to cyber law. 

Privacy Compliance 

Manager 

OV-LG-002 

Develops and oversees privacy compliance program and 
privacy program staff, supporting privacy compliance 
needs of privacy and security executives and their teams. 

Training, 

Education, and 
Awareness (ED) 

Cyber Instructional 
Curriculum Developer 

OV-ED-OOl 

Develops, plans, coordinates, and evaluates cyber 
training/education courses, methods, and techniques 
based on instructional needs. 

Cyber Instructor 

OV-ED-002 

Develops and conducts training or education of personnel 
within cyber domain. 

Cybersecurity 

Management 

(MG) 

Information Systems 

Security Manager 

OV-MG-OOl 

Responsible for the cybersecurity of a program, 
organization, system, or enclave. 

COMSEC Manager 

OV-MG-002 

Manages the Communications Security (COMSEC) 
resources of an organization (CNSSI 4009). 

Strategic Planning 
and Policy (PL) 

Cyber Workforce Developer 
and Manager 

OV-PL-OOl 

Develops cyberspace workforce plans, strategies and 
guidance to support cyberspace workforce manpower, 
personnel, training and education requirements and to 
address changes to cyberspace policy, doctrine, materiel, 
force structure, and education and training requirements. 
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Category 

Specialty Area 

Work Role 

NCWF ID 

Work Role Description 



Cyber Policy and Strategy 
Planner 

OV-PL-002 

Develops cyberspace plans, strategy and policy to 
support and align with organizational cyberspace 
missions and initiatives. 

Executive Cyber 
Leadership (EX) 

Executive Cyber Leadership 

OV-EX-OOl 

Executes decision-making authorities and establishes 
vision and direction for an organization's cyber and 
cyber-related resources and/or operations. 

Acquisition and 
Program/Proj ect 
Management (PM) 

Program Manager 

OV-PM-OOl 

Leads, coordinates, communicates, integrates, and is 
accountable for the overall success of the program, 
ensuring alignment with critical agency priorities. 

IT Project Manager 

OV-PM-002 

Directly manages information technology projects to 
provide a unique service or product. 

Product Support Manager 

OV-PM-003 

Manages the package of support functions required to 
field and maintain the readiness and operational 
capability of systems and components. 

IT Investment/Portfolio 
Manager 

OV-PM-004 

Manages a portfolio of IT capabilities that align with the 
overall needs of mission and business enterprise 
priorities. 

IT Program Auditor 

OV-PM-005 

Conducts evaluations of an IT program or its individual 
components, to determine compliance with published 
standards. 

Protect and 
Defend (PR) 

Cyber Defense 
Analysis (DA) 

Cyber Defense Analyst 

PR-DA-001 

Uses data collected from a variety of cyber defense tools 
(e.g., IDS alerts, firewalls, network traffic logs) to 
analyze events that occur within their environments for 
the purposes of mitigating threats. 

Cyber Defense 
Infrastructure 
Support (INF) 

Cyber Defense 

Infrastructure Support 
Specialist 

PR-INF-001 

Tests, implements, deploys, maintains, and administers 
the infrastructure hardware and software. 

Incident Response 

(IR) 

Cyber Defense Incident 
Responder 

PR-IR-001 

Investigates, analyzes, and responds to cyber incidents 
within the network environment or enclave. 

Vulnerability 
Assessment and 
Management (VA) 

Vulnerability Assessment 
Analyst 

PR-VA-001 

Performs assessments of systems and networks within the 
network environment or enclave and identifies where 
those systems/networks deviate from acceptable 
configurations, enclave policy, or local policy. Measures 
effectiveness of defense-in-depth architecture against 
known vulnerabilities. 
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Category 

Specialty Area 

Work Role 

NCWF ID 

Work Role Description 

Analyze 

(AN) 

Threat Analysis 
(TA) 

Warning Analyst 

AN-TA-001 

Develops unique cyber indicators to maintain constant 
awareness of the status of the highly dynamic operating 
environment. Collects, processes, analyzes, and 
disseminates cyber warning assessments. 


Exploitation 
Analysis (XA) 

Exploitation Analyst 

AN-XA-001 

Collaborates to identify access and collection gaps that 
can be satisfied through cyber collection and/or 
preparation activities. Leverages all authorized resources 
and analytic techniques to penetrate targeted networks. 


All-Source 

Analysis (AN) 

All-Source Analyst 

AN-AN-001 

Analyzes data/information from one or multiple sources 
to conduct preparation of the environment, respond to 
requests for information, and submit intelligence 
collection and production requirements in support of 
planning and operations. 



Mission Assessment 

AN-AN-002 

Develops assessment plans and measures of 



Specialist 


performance/effectiveness. Conducts strategic and 
operational effectiveness assessments as required for 
cyber events. Determines whether systems performed as 
expected and provides input to the determination of 
operational effectiveness. 


Targets (TD) 

Target Developer 

AN-TD-001 

Performs target system analysis, builds and/or maintains 
electronic target folders to include inputs from 
environment preparation, and/or internal or external 
intelligence sources. Coordinates with partner target 
activities and intelligence organizations, and presents 
candidate targets for vetting and validation. 



Target Network Analyst 

AN-TD-002 

Conducts advanced analysis of collection and open- 
source data to ensure target continuity; to profile targets 
and their activities; and develop techniques to gain more 
target information. Determines how targets 
communicate, move, operate and live based on 
knowledge of target technologies, digital networks and 
the applications on them. 
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Category 

Specialty Area 

Work Role 

NCWF ID 

Work Role Description 


Language 

Analysis (LA) 

Multi-Disciplined Language 
Analyst 

AN-LA-001 

Applies language and culture expertise with target/threat 
and technical knowledge to process, analyze, and/or 
disseminate intelligence information derived from 
language, voice and/or graphic material. Creates, and 
maintains language specific databases and working aids 
to support cyber action execution and ensure critical 
knowledge sharing. Provides subject matter expertise in 
foreign language-intensive or interdisciplinary projects. 

Collect and 

Operate 

(CO) 

Collection 
Operations (CL) 

All Source-Collection 
Manager 

CO-CL-OOl 

Identifies collection authorities and environment; 
incorporates priority information requirements into 
collection management; develops concepts to meet 
leadership's intent. Determines capabilities of available 
collection assets, identifies new collection capabilities; 
and constructs and disseminates collection plans. 

Monitors execution of tasked collection to ensure 
effective execution of the collection plan. 

All Source-Collection 
Requirements Manager 

CO-CL-002 

Evaluates collection operations and develops effects- 
based collection requirements strategies using available 
sources and methods to improve collection. Develops, 
processes, validates, and coordinates submission of 
collection requirements. Evaluates performance of 
collection assets and collection operations. 

Cyber Operational 
Planning (PL) 

Cyber Intel Planner 

CO-PL-OOl 

Develops detailed intelligence plans to satisfy cyber 
operations requirements. Collaborates with cyber 
operations planners to identify, validate, and levy 
requirements for collection and analysis. Participates in 
targeting selection, validation, synchronization, and 
execution of cyber actions. Synchronizes intelligence 
activities to support organization objectives in 
cyberspace. 
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Category 

Specialty Area 

Work Role 

NCWF ID 

Work Role Description 



Cyber Ops Planner 

CO-PL-002 

Develops detailed plans for the conduct or support of the 
applicable range of cyber operations through 
collaboration with other planners, operators and/or 
analysts. Participates in targeting selection, validation, 
synchronization, and enables integration during the 
execution of cyber actions. 



Partner Integration Planner 

CO-PL-003 

Works to advance cooperation across organizational or 
national borders between cyber operations partners. Aids 
the integration of partner cyber teams by providing 
guidance, resources, and collaboration to develop best 
practices and facilitate organizational support for 
achieving objectives in integrated cyber actions. 


Cyber Operations 
(OP) 

Cyber Operator 

CO-OP-OOl 

Conducts collection, processing, and/or geolocation of 
systems in order to exploit, locate, and/or track targets of 
interest. Performs network navigation, tactical forensic 
analysis, and, when directed, executing on-net operations. 

Investigate 

(IN) 

Cyber 

Investigation (Cl) 

Cyber Crime Investigator 

IN-CI-001 

Identifies, collects, examines, and preserves evidence 
using controlled and documented analytical and 
investigative techniques. 


Digital Forensics 
(FO) 

Forensics Analyst 

IN-FO-OOl 

Conducts deep-dive investigations on computer-based 
crimes establishing documentary or physical evidence, to 
include digital media and logs associated with cyber 
intrusion incidents. 



Cyber Defense Forensics 
Analyst 

IN-FO-002 

Analyzes digital evidence and investigates computer 
security incidents to derive useful information in support 
of system/network vulnerability mitigation. 
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830 A.4 NCWF Work Role Tasks 

831 Table 5 provides a listing of the various Tasks associated with NCWF Work Roles. Because the 

832 Tasks have evolved over many years and are expected to continue to do so, they are not sorted in 

833 a particular order and will simply continue to grow sequentially. 

834 Table 5 - NCWF Work Role Tasks 


Task 

Task Description 

T0001 

Acquire and manage the necessary resources, including leadership support, financial 
resources, and key security personnel, to support information technology (IT) security goals 
and objectives and reduce overall organizational risk. 

T0002 

Acquire necessary resources, including financial resources, to conduct an effective enterprise 
continuity of operations program. 

T0003 

Advise senior management (e.g., Chief Information Officer [CIO]) on risk levels and security 
posture. 

T0004 

Advise senior management (e.g., CIO) on cost/benefit analysis of information security 
programs, policies, processes, and systems, and elements. 

T0005 

Advise appropriate senior leadership or Authorizing Official of changes affecting the 
organization's cybersecurity posture. 

T0006 

Advocate organization's official position in legal and legislative proceedings. 

T0007 

Analyze and define data requirements and specifications. 

T0008 

Analyze and plan for anticipated changes in data capacity requirements. 

T0009 

Analyze information to determine, recommend, and plan the development of a new 
application or modification of an existing application. 

TOO 10 

Analyze organization's cyber defense policies and configurations and evaluate compliance 
with regulations and organizational directives. 

TOO 11 

Analyze user needs and software requirements to determine feasibility of design within time 
and cost constraints. 

TOO 12 

Analyze design constraints, analyze trade-offs and detailed system and security design, and 
consider lifecycle support. 

TOO 13 

Apply coding and testing standards, apply security testing tools including '"fuzzing" static- 
analysis code scanning tools, and conduct code reviews. 

TOO 14 

Apply secure code documentation. 

TOO 15 

Apply security policies to applications that interface with one another, such as Business-to- 
Business (B2B) applications. 

TOO 16 

Apply security policies to meet security objectives of the system. 

TOO 17 

Apply service oriented security architecture principles to meet organization's confidentiality, 
integrity, and availability requirements. 

TOO 18 

Assess the effectiveness of cybersecurity measures utilized by system( s). 

TOO 19 

Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile. 

T0020 

Develop content for cyber defense tools. 

T0021 

Build, test, and modify product prototypes using working models or theoretical models. 

T0022 

Capture security controls used during the requirements phase to integrate security within the 
process, to identify key security objectives, and to maximize software security while 
minimizing disruption to plans and schedules. 

T0023 

Characterize and analyze network traffic to identify anomalous activity and potential threats to 
network resources. 

T0024 

Collect and maintain data needed to meet system cybersecurity reporting. 
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Task 

Task Description 

T0025 

Communicate the value of information technology (IT) security throughout all levels of the 
organization stakeholders. 

T0026 

Compile and write documentation of program development and subsequent revisions, 
inserting comments in the coded instructions so others can understand the program. 

T0027 

Conduct analysis of log files, evidence, and other information in order to determine best 
methods for identifying the perpetrator(s) of a network intrusion. 

T0028 

Conduct and/or support authorized penetration testing on enterprise network assets. 

T0029 

Conduct functional and connectivity testing to ensure continuing operability. 

T0030 

Conduct interactive training exercises to create an effective learning environment. 

T0031 

Conduct interviews of victims and witnesses and conduct interviews or interrogations of 
suspects. 

T0032 

Conduct Privacy Impact Assessments (PIA) of the application’s security design for the 
appropriate security controls, which protect the confidentiality and integrity of Personally 
Identifiable Information (PII). 

T0033 

Conduct risk analysis, feasibility study, and/or trade-off analysis to develop, document, and 
refine functional requirements and specifications. 

T0034 

Confer with systems analysts, engineers, programmers, and others to design application and to 
obtain information on project limitations and capabilities, performance requirements, and 
interfaces. 

T0035 

Configure and optimize network hubs, routers, and switches (e.g., higher-level protocols, 
tunneling). 

T0036 

Confirm what is known about an intrusion and discover new information, if possible, after 
identifying intrusion via dynamic analysis. 

T0037 

Construct access paths to suites of information (e.g., link pages) to facilitate access by end- 
users. 

T0038 

Develop threat model based on customer interviews and requirements. 

T0039 

Consult with customers to evaluate functional requirements. 

T0040 

Consult with engineering staff to evaluate interface between hardware and software. 

T0041 

Coordinate and provide expert technical support to enterprise-wide cyber defense technicians 
to resolve cyber defense incidents. 

T0042 

Coordinate with Cyber Defense Analysts to manage and administer the updating of rules and 
signatures (e.g., intrusion detection/protection systems, anti-virus, and content blacklists) for 
specialized cyber defense applications. 

T0043 

Coordinate with enterprise-wide cyber defense staff to validate network alerts. 

T0044 

Collaborate with stakeholders to establish the enterprise continuity of operations program, 
strategy, and mission assurance. 

T0045 

Coordinate with systems architects and developers, as needed, to provide oversight in the 
development of design solutions. 

T0046 

Correct errors by making appropriate changes and rechecking the program to ensure desired 
results are produced. 

T0047 

Correlate incident data to identify specific vulnerabilities and make recommendations that 
enable expeditious remediation. 

T0048 

Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the 
original evidence is not unintentionally modified, to use for data recovery and analysis 
processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile 
phones, GPS, and all tape formats. 

T0049 

Decrypt seized data using technical means. 

T0050 

Define and prioritize essential system capabilities or business functions required for partial or 
full system restoration after a catastrophic failure event. 
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T0051 

Define appropriate levels of system availability based on critical system functions and ensure 
system requirements identify appropriate disaster recovery and continuity of operations 
requirements to include any appropriate fail-over/alternate site requirements, backup 
requirements, and material supportability requirements for system recover/restoration. 

T0052 

Define project scope and objectives based on customer requirements. 

T0053 

Design and develop cybersecurity or cybersecurity-enabled products. 

T0054 

Design group policies and access control lists to ensure compatibility with organizational 
standards, business rules, and needs. 

T0055 

Design hardware, operating systems, and software applications to adequately address 
cybersecurity requirements. 

T0056 

Design or integrate appropriate data backup capabilities into overall system designs, and 
ensure appropriate technical and procedural processes exist for secure system backups and 
protected storage of backup data. 

T0057 

Design, develop, and modify software systems, using scientific analysis and mathematical 
models to predict and measure outcome and consequences of design. 

T0058 

Determine level of assurance of developed capabilities based on test results. 

T0059 

Develop a plan to investigate alleged crime, violation, or suspicious activity utilizing 
computers and the internet. 

T0060 

Develop an understanding of the needs and requirements of information end-users. 

T0061 

Develop and direct system testing and validation procedures and documentation. 

T0062 

Develop and document requirements, capabilities, and constraints for design procedures and 
processes. 

T0063 

Develop and document systems administration standard operating procedures. 

T0064 

Review and validate data mining and data warehousing programs, processes, and 
requirements. 

T0065 

Develop and implement network backup and recovery procedures. 

T0066 

Develop and maintain strategic plans. 

T0067 

Develop architectures or system components consistent with technical specifications. 

T0068 

Develop data standards, policies, and procedures. 

T0069 

Develop detailed security design documentation for component and interface specifications to 
support system design and development. 

T0070 

Develop Disaster Recovery and Continuity of Operations plans for systems under 
development and ensure testing prior to systems entering a production environment. 

T0071 

Develop/integrate cybersecurity designs for systems and networks with multilevel security 
requirements or requirements for the processing of multiple classification levels of data 
primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP 
SECRET). 

T0072 

Develop methods to monitor and measure risk, compliance, and assurance efforts. 

T0073 

Develop new or identify existing awareness and training materials that are appropriate for 
intended audiences. 

T0074 

Develop policy, programs, and guidelines for implementation. 

T0075 

Provide technical summary of findings in accordance with established reporting procedures. 

T0076 

Develop risk mitigation strategies to resolve vulnerabilities and recommend security changes 
to system or system components as needed. 

T0077 

Develop secure code and error handling. 

T0078 

Develop specific cybersecurity countermeasures and risk mitigation strategies for systems 
and/or applications. 
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T0079 

Develop specifications to ensure risk, compliance, and assurance efforts conform with 
security, resilience, and dependability requirements at the software application, system, and 
network environment level. 

T0080 

Develop test plans to address specifications and requirements. 

T0081 

Diagnose network connectivity problem. 

T0082 

Document and address organization's information security, cybersecurity architecture, and 
systems security engineering requirements throughout the acquisition lifecycle. 

T0083 

Draft statements of preliminary or residual security risks for system operation. 

T0084 

Employ secure configuration management processes. 

T0085 

Ensure all systems security operations and maintenance activities are properly documented 
and updated as necessary. 

T0086 

Ensure application of security patches for commercial products integrated into system design 
meet the timelines dictated by the management authority for the intended operational 
environment. 

T0087 

Ensure chain of custody is followed for all digital media acquired in accordance with the 

Federal Rules of Evidence. 

T0088 

Ensure cybersecurity-enabled products or other compensating security control technologies 
reduce identified risk to an acceptable level. 

T0089 

Ensure security improvement actions are evaluated, validated, and implemented as required. 

T0090 

Ensure acquired or developed system(s) and architecture(s) are consistent with organization's 
cybersecurity architecture guidelines. 

T0091 

Ensure that cybersecurity inspections, tests, and reviews are coordinated for the network 
environment. 

T0092 

Ensure that cybersecurity requirements are integrated into the continuity planning for that 
system and/or organization(s). 

T0093 

Ensure that protection and detection capabilities are acquired or developed using the IS 
security engineering approach and are consistent with organization-level cybersecurity 
architecture. 

T0094 

Establish and maintain communication channels with stakeholders. 

T0095 

Establish overall enterprise information security architecture (EISA) with the organization’s 
overall security strategy. 

T0096 

Establish relationships, if applicable, between the incident response team and other groups, 
both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, 
and public relations professionals). 

T0097 

Evaluate and approve development efforts to ensure that baseline security safeguards are 
appropriately installed. 

T0098 

Evaluate contracts to ensure compliance with funding, legal, and program requirements. 

T0099 

Evaluate cost benefit, economic, and risk analysis in decision making process. 

TO 100 

Evaluate factors such as reporting formats required, cost constraints, and need for security 
restrictions to determine hardware configuration. 

T0101 

Evaluate the effectiveness and comprehensiveness of existing training programs. 

TO 102 

Evaluate the effectiveness of laws, regulations, policies, standards, or procedures. 

TO 103 

Examine recovered data for information of relevance to the issue at hand. 

TO 104 

Fuse computer network attack analyses with criminal and counterintelligence investigations 
and operations. 

TO 105 

Identify components or elements, allocate security functions to those elements, and describe 
the relationships between the elements. 

TO 106 

Identify alternative information security strategies to address organizational security objective. 
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TO 107 

Identify and direct the remediation of technical problems encountered during testing and 
implementation of new systems (e.g., identify and find work-arounds for communication 
protocols that are not interoperable). 

TO 108 

Identify and prioritize critical business functions in collaboration with organizational 
stakeholders. 

TO 109 

Identify and prioritize essential system functions or sub-systems required to support essential 
capabilities or business functions for restoration or recovery after a system failure or during a 
system recovery event based on overall system requirements for continuity and availability. 

T0110 

Identify and/or determine whether a security incident is indicative of a violation of law that 
requires specific legal action. 

T0111 

Identify basic common coding flaws at a high level. 

T0112 

Identify data or intelligence of evidentiary value to support counterintelligence and criminal 
investigations. 

T0113 

Identify digital evidence for examination and analysis in such a way as to avoid unintentional 
alteration. 

T0114 

Identify elements of proof of the crime. 

T0115 

Identify information technology (IT) security program implications of new technologies or 
technology upgrades. 

T0116 

Identify organizational policy stakeholders. 

T0117 

Identify security implications and apply methodologies within centralized and decentralized 
environments across the enterprises computer systems in software development. 

T0118 

Identify security issues around steady state operation and management of software and 
incorporate security measures that must be taken when a product reaches its end of life. 

T0119 

Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use 
within a system and ensure recommended products are in compliance with organization's 
evaluation and validation requirements. 

T0120 

Identify, collect, and seize documentary or physical evidence, to include digital media and 
logs associated with cyber intrusion incidents, investigations, and operations. 

T0121 

Implement new system design procedures, test procedures, and quality standards. 

TO 122 

Implement security designs for new or existing system(s). 

TO 123 

Implement specific cybersecurity countermeasures for systems and/or applications. 

TO 124 

Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity 
Vulnerability Alerts). 

TO 125 

Install and maintain network infrastructure device operating system software (e.g., IOS, 
firmware). 

T0126 

Install or replace network hubs, routers, and switches. 

TO 127 

Integrate and align information security and/or cybersecurity policies to ensure system 
analysis meets security requirements. 

T0128 

Integrate automated capabilities for updating or patching system software where practical and 
develop processes and procedures for manual updating and patching of system software based 
on current and projected patch timeline requirements for the operational environment of the 
system. 

T0129 

Integrate new systems into existing network architecture. 

T0130 

Interface with external organizations (e.g., public affairs, law enforcement, Command or 
Component Inspector General) to ensure appropriate and accurate dissemination of incident 
and other Computer Network Defense information. 

T0131 

Interpret and apply laws, regulations, policies, standards, or procedures to specific issues. 

TO 132 

Interpret and/or approve security requirements relative to the capabilities of new information 
technologies. 
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T0133 

Interpret patterns of non-compliance to determine their impact on levels of risk and/or overall 
effectiveness of the enterprise’s cybersecurity program. 

TO 134 

Lead and align information technology (IT) security priorities with the security strategy. 

T0135 

Lead and oversee information security budget, staffing, and contracting. 

T0136 

Maintain baseline system security according to organizational policies. 

T0137 

Maintain database management systems software. 

T0138 

Maintain deployable cyber defense audit toolkit (e.g., specialized cyber defense software and 
hardware) to support cyber defense audit missions. 

T0139 

Maintain directory replication services that enable information to replicate automatically from 
rear servers to forward units via optimized routing. 

TO 140 

Maintain information exchanges through publish, subscribe, and alert functions that enable 
users to send and receive critical information as required. 

T0141 

Maintain information systems assurance and accreditation materials. 

TO 142 

Maintain knowledge of applicable cyber defense policies, regulations, and compliance 
documents specifically related to cyber defense auditing. 

TO 143 

Make recommendations based on test results. 

TO 144 

Manage accounts, network rights, and access to systems and equipment. 

TO 145 

Manage and approve Accreditation Packages (e.g., 1SO/IEC 15026-2). 

TO 146 

Manage the compilation, cataloging, caching, distribution, and retrieval of data. 

TO 147 

Manage the monitoring of information security data sources to maintain organizational 
situational awareness. 

T0148 

Manage the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of 
Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency. 

TO 149 

Manage threat or target analysis of cyber defense information and production of threat 
information within the enterprise. 

TO 150 

Monitor and evaluate a system's compliance with information technology (IT) security, 
resilience, and dependability requirements. 

T0151 

Monitor and evaluate the effectiveness of the enterprise's cybersecurity safeguards to ensure 
they provide the intended level of protection. 

TO 152 

Monitor and maintain databases to ensure optimal performance. 

T0153 

Monitor network capacity and performance. 

TO 154 

Monitor and report the usage of knowledge management assets and resources. 

T0155 

Document and escalate incidents (including event’s history, status, and potential impact for 
further action) that may cause ongoing and immediate impact to the environment. 

TO 156 

Oversee and make recommendations regarding configuration management. 

TO 157 

Oversee the information security training and awareness program. 

T0158 

Participate in an information security risk assessment during the Security Assessment and 
Authorization process. 

T0159 

Participate in the development or modification of the computer environment cybersecurity 
program plans and requirements. 

TO 160 

Patch network vulnerabilities to ensure information is safeguarded against outside parties. 

T0161 

Perform analysis of log files from a variety of sources (e.g., individual host logs, network 
traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible 
threats to network security. 

TO 162 

Perform backup and recovery of databases to ensure data integrity. 

TO 163 

Perform cyber defense incident triage, to include determining scope, urgency, and potential 
impact; identifying the specific vulnerability; and making recommendations that enable 
expeditious remediation. 
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TO 164 

Perform cyber defense trend analysis and reporting. 

TO 165 

Perform dynamic analysis to boot an “image” of a drive (without necessarily having the 
original drive) to see the intrusion as the user may have seen it, in a native environment. 

TO 166 

Perform event correlation using information gathered from a variety of sources within the 
enterprise to gain situational awareness and determine the effectiveness of an observed attack. 

TO 167 

Perform file signature analysis. 

TO 168 

Perform hash comparison against established database. 

TO 169 

Perform cybersecurity testing of developed applications and/or systems. 

TO 170 

Perform initial, forensically sound collection of images and inspect to discern possible 
mitigation/remediation on enterprise systems. 

T0171 

Perform integrated quality assurance testing for security functionality and resiliency attack. 

TO 172 

Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView). 

TO 173 

Perform timeline analysis. 

TO 174 

Perform needs analysis to determine opportunities for new and improved business process 
solutions. 

TO 175 

Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion 
correlation and tracking, threat analysis, and direct system remediation) tasks to support 
deployable Incident Response Teams (IRTs). 

TO 176 

Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities. 

TO 177 

Perform security reviews, identify gaps in security architecture, and develop a security risk 
management plan. 

TO 178 

Perform security reviews and identify security gaps in security architecture resulting in 
recommendations for the inclusion into the risk mitigation strategy. 

TO 179 

Perform static media analysis. 

TO 180 

Perform system administration on specialized cyber defense applications and systems (e.g., 
anti-virus, audit and remediation) or Virtual Private Network (VPN) devices, to include 
installation, configuration, maintenance, backup and restoration. 

T0181 

Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an 
application or system undergoes a major change. 

TO 182 

Perform tier 1, 2, and 3 malware analysis. 

TO 183 

Perform validation steps, comparing actual results with expected results and analyze the 
differences to identify impact and risks. 

TO 184 

Plan and conduct security authorization reviews and assurance case development for initial 
installation of systems and networks. 

TO 185 

Plan and manage the delivery of knowledge management projects. 

TO 186 

Plan, execute, and verify data redundancy and system recovery procedures. 

TO 187 

Plan and recommend modifications or adjustments based on exercise results or system 
environment. 

T0188 

Prepare audit reports that identify technical and procedural findings, and provide 
recommended remediation strategies/solutions. 

TO 189 

Prepare detailed workflow charts and diagrams that describe input, output, and logical 
operation, and convert them into a series of instructions coded in a computer language. 

TO 190 

Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in 
accordance with standard operating procedures). 

T0191 

Prepare use cases to justify the need for specific information technology (IT) solutions. 

TO 192 

Prepare, distribute, and maintain plans, instructions, guidance, and standard operating 
procedures concerning the security of network system(s) operations. 

TO 193 

Process crime scenes. 
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TO 194 

Properly document all systems security implementation, operations and maintenance activities 
and update as necessary. 

TO 195 

Provide a managed flow of relevant information (via web-based portals or other means) based 
on mission requirements. 

TO 196 

Provide advice on project costs, design concepts, or design changes. 

TO 197 

Provide an accurate technical evaluation of the software application, system, or network, 
documenting the security posture, capabilities, and vulnerabilities against relevant 
cybersecurity compliances. 

TO 198 

Provide daily summary reports of network events and activity relevant to cyber defense 
practices. 

TO 199 

Provide enteiprise cybersecurity and supply chain risk management guidance for development 
of the Continuity of Operations Plans. 

T0200 

Provide feedback on network requirements, including network architecture and infrastructure. 

T0201 

Provide guidelines for implementing developed systems to customers or installation teams. 

T0202 

Provide cybersecurity guidance to leadership. 

T0203 

Provide input on security requirements to be included in statements of work and other 
appropriate procurement documents. 

T0204 

Provide input to implementation plans and standard operating procedures. 

T0205 

Provide input to the Risk Management Framework process activities and related 
documentation (e.g., system life-cycle support plans, concept of operations, operational 
procedures, and maintenance training materials). 

T0206 

Provide leadership and direction to information technology (IT) personnel by ensuring that 
cybersecurity awareness, basics, literacy, and training are provided to operations personnel 
commensurate with their responsibilities. 

T0207 

Provide ongoing optimization and problem solving support. 

T0208 

Provide recommendations for possible improvements and upgrades. 

T0209 

Provide recommendations on data structures and databases that ensure correct and quality 
production of reports/management information. 

T0210 

Provide recommendations on new database technologies and architectures. 

T0211 

Provide system related input on cybersecurity requirements to be included in statements of 
work and other appropriate procurement documents. 

T0212 

Provide technical assistance on digital evidence matters to appropriate personnel. 

T0213 

Provide technical documents, incident reports, findings from computer examinations, 
summaries, and other situational awareness information to higher headquarters. 

T0214 

Receive and analyze network alerts from various sources within the enterprise and determine 
possible causes of such alerts. 

T0215 

Recognize a possible security violation and take appropriate action to report the incident, as 
required. 

T0216 

Recognize and accurately report forensic artifacts indicative of a particular operating system. 

T0217 

Address security implications in the software acceptance phase including completion criteria, 
risk acceptance and documentation, common criteria, and methods of independent testing. 

T0218 

Recommend new or revised security, resilience, and dependability measures based on the 
results of reviews. 

T0219 

Recommend resource allocations required to securely operate and maintain an organization’s 
cybersecurity requirements. 

T0220 

Resolve conflicts in laws, regulations, policies, standards, or procedures. 

T0221 

Review authorization and assurance documents to confirm that the level of risk is within 
acceptable limits for each software application, system, and network. 

T0222 

Review existing and proposed policies with stakeholders. 
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T0223 

Review or conduct audits of information technology (IT) programs and projects. 

T0224 

Review training documentation (e.g., Course Content Documents [CCD], lesson plans, student 
texts, examinations, Schedules of Instruction [SOI], and course descriptions). 

T0225 

Secure the electronic device or information source. 

T0226 

Serve on agency and interagency policy boards. 

T0227 

Recommend policy and coordinate review and approval. 

T0228 

Store, retrieve, and manipulate data for analysis of system capabilities and requirements. 

T0229 

Supervise or manage protective or corrective measures when a cybersecurity incident or 
vulnerability is discovered. 

T0230 

Support the design and execution of exercise scenarios. 

T0231 

Provide support to security/certification test and evaluation activities. 

T0232 

Test and maintain network infrastructure including software and hardware devices. 

T0233 

Track and document cyber defense incidents from initial detection through final resolution. 

T0234 

Track audit findings and recommendations to ensure appropriate mitigation actions are taken. 

T0235 

Translate functional requirements into technical solutions. 

T0236 

Translate security requirements into application design elements including documenting the 
elements of the software attack surfaces, conducting threat modeling, and defining any 
specific security criteria. 

T0237 

Troubleshoot system hardware and software. 

T0238 

Extract data using data carving techniques (e.g., Forensic Tool Kit [FTK], Foremost). 

T0239 

Use federal and organization-specific published documents to manage operations of their 
computing environment system(s). 

T0240 

Capture and analyze network traffic associated with malicious activities using network 
monitoring tools. 

T0241 

Use specialized equipment and techniques to catalog, document, extract, collect, package, and 
preserve digital evidence. 

T0242 

Utilize models and simulations to analyze or predict system performance under different 
operating conditions. 

T0243 

Verify and update security documentation reflecting the application/system security design 
features. 

T0244 

Verify that application software/network/system security postures are implemented as stated, 
document deviations, and recommend required actions to correct those deviations. 

T0245 

Verify that the software application/network/system accreditation and assurance 
documentation is current. 

T0246 

Write and publish cyber defense techniques, guidance, and reports on incident findings to 
appropriate constituencies. 

T0247 

Write instructional materials (e.g., standard operating procedures, production manual) to 
provide detailed guidance to relevant portion of the workforce. 

T0248 

Promote awareness of security issues among management and ensure sound security 
principles are reflected in the organization's vision and goals. 

T0249 

Research current technology to understand capabilities of required system or network. 

T0250 

Identify cyber capabilities strategies for custom hardware and software development based on 
mission requirements. 

T0251 

Develop security compliance processes and/or audits for external services (e.g., cloud service 
providers, data centers). 

T0252 

Conduct required reviews as appropriate within environment (e.g., Technical Surveillance, 
Countermeasure Reviews [TSCM], TEMPEST countermeasure reviews). 

T0253 

Conduct cursory binary analysis. 
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T0254 

Oversee policy standards and implementation strategies to ensure procedures and guidelines 
comply with cybersecurity policies. 

T0255 

Participate in Risk Governance process to provide security risks, mitigations, and input on 
other technical risk. 

T0256 

Evaluate the effectiveness of procurement function in addressing information security 
requirements and supply chain risks through procurement activities and recommend 
improvements. 

T0257 

Determine scope, infrastructure, resources, and data sample size to ensure system 
requirements are adequately demonstrated. 

T0258 

Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous 
activities, and misuse activities and distinguish these incidents and events from benign 
activities. 

T0259 

Use cyber defense tools for continual monitoring and analysis of system activity to identify 
malicious activity. 

T0260 

Analyze identified malicious activity to determine weaknesses exploited, exploitation 
methods, effects on system and information. 

T0261 

Assist in identifying, prioritizing, and coordinating the protection of critical cyber defense 
infrastructure and key resources. 

T0262 

Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, 
layered defenses, security robustness). 

T0263 

Identify security requirements specific to an information technology (IT) system in all phases 
of the System Life Cycle. 

T0264 

Ensure plans of actions and milestones or remediation plans are in place for vulnerabilities 
identified during risk assessments, audits, inspections, etc. 

T0265 

Assure successful implementation and functionality of security requirements and appropriate 
information technology (IT) policies and procedures that are consistent with the organization's 
mission and goals. 

T0266 

Perform penetration testing as required for new or updated applications. 

T0267 

Design countermeasures and mitigations against potential exploitations of programming 
language weaknesses and vulnerabilities in system and elements. 

T0268 

Define and document how the implementation of a new system or new interfaces between 
systems impacts the security posture of the current environment. 

T0269 

Design and develop key management functions (as related to cybersecurity). 

T0270 

Analyze user needs and requirements to plan and conduct system security development. 

T0271 

Develop cybersecurity designs to meet specific operational needs and environmental factors 
(e.g., access controls, automated applications, networked operations, high integrity and 
availability requirements, multilevel security/processing of multiple classification levels, and 
processing Sensitive Compartmented Information). 

T0272 

Ensure security design and cybersecurity development activities are properly documented 
(providing a functional description of security implementation) and updated as necessary. 

T0273 

Develop and document supply chain risks for critical system elements, as appropriate. 

T0274 

Create auditable evidence of security measures. 

T0275 

Support necessary compliance activities (e.g., ensure system security configuration guidelines 
are followed, compliance monitoring occurs). 

T0276 

Participate in the acquisition process as necessary, following appropriate supply chain risk 
management practices. 

T0277 

Ensure all acquisitions, procurements, and outsourcing efforts address information security 
requirements consistent with organization goals. 
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T0278 

Collect intrusion artifacts (e.g., source code, malware, trojans) and use discovered data to 
enable mitigation of potential cyber defense incidents within the enterprise. 

T0279 

Serve as technical expert and liaison to law enforcement personnel and explain incident details 
as required. 

T0280 

Continuously validate the organization against policies/guidelines/procedures/regulations/laws 
to ensure compliance. 

T0281 

Forecast ongoing service demands and ensure security assumptions are reviewed as necessary. 

T0282 

Define and/or implement policies and procedures to ensure protection of critical infrastructure 
as appropriate. 

T0283 

Collaborate with stakeholders to identify and/or develop appropriate solutions technology. 

T0284 

Design and develop new tools/technologies as related to cybersecurity. 

T0285 

Perform virus scanning on digital media. 

T0286 

Perform file system forensic analysis. 

T0287 

Perform static analysis to mount an "image" of a drive (without necessarily having the original 
drive). 

T0288 

Perform static malware analysis. 

T0289 

Utilize deployable forensics tool kit to support operations as necessary. 

T0290 

Determine tactics, techniques, and procedures (TTPs) for intrusion sets. 

T0291 

Examine network topologies to understand data flows through the network. 

T0292 

Recommend computing environment vulnerability corrections. 

T0293 

Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR). 

T0294 

Conduct research, analysis, and correlation across a wide variety of all source data sets 
(indications and warnings). 

T0295 

Validate intrusion detection system (IDS) alerts against network traffic using packet analysis 
tools. 

T0296 

Isolate and remove malware. 

T0297 

Identify applications and operating systems of a network device based on network traffic. 

T0298 

Reconstruct a malicious attack or activity based off network traffic. 

T0299 

Identify network mapping and operating system (OS) fingerprinting activities. 

T0300 

Develop and document User Experience (UX) requirements including information architecture 
and user interface requirements. 

T0301 

Develop and Implement cybersecurity independent audit processes for application 
software/networks/systems and oversee ongoing independent audits to ensure that operational 
and Research and Design (R&D) processes and procedures are in compliance with 
organizational and mandatory cybersecurity requirements and accurately followed by Systems 
Administrators and other cybersecurity staff when performing their day-to-day activities. 

T0302 

Develop contract language to ensure supply chain, system, network, and operational security 
are met. 

T0303 

Identify and leverage the enterprise-wide version control system while designing and 
developing secure applications. 

T0304 

Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM 
Rational Unified Process) into development environment. 

T0305 

Performs configuration management, problem management, capacity management, and 
financial management for databases and data management systems. 

T0306 

Supports incident management, service level management, change management, release 
management, continuity management, and availability management for databases and data 
management systems. 

T0307 

Analyze candidate architectures, allocate security services, and select security mechanisms. 

T0308 

Analyze incident data for emerging trends. 
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T0309 

Assess the effectiveness of security controls. 

T0310 

Assist in the construction of signatures which can be implemented on cyber defense network 
tools in response to new or observed threats within the NE or enclave. 

T0311 

Consult with customers about software system design and maintenance. 

T0312 

Coordinate with intelligence analysts to correlate threat assessment data. 

T0313 

Design and document quality standards. 

T0314 

Develop a system security context, a preliminary system security Concept of Operations 
(CONOPS), and define baseline system security requirements in accordance with applicable 
cybersecurity requirements. 

T0315 

Develop and deliver technical training to educate others or meet customer needs. 

T0316 

Develop or assist in the development of computer based training modules or classes. 

T0317 

Develop or assist in the development of course assignments. 

T0318 

Develop or assist in the development of course evaluations. 

T0319 

Develop or assist in the development of grading and proficiency standards. 

T0320 

Assist in the development of individual/collective development, training, and/or remediation 
plans. 

T0321 

Develop or assist in the development of learning objectives and goals. 

T0322 

Develop or assist in the development of on-the-job training materials or programs. 

T0323 

Develop or assist in the development of written tests for measuring and assessing learner 
proficiency. 

T0324 

Direct software programming and development of documentation. 

T0325 

Document a system's purpose and preliminary system security concept of operations. 

T0326 

Employ configuration management processes. 

T0327 

Evaluate network infrastructure vulnerabilities to enhance capabilities being developed. 

T0328 

Evaluate security architectures and designs to determine the adequacy of security design and 
architecture proposed or provided in response to requirements contained in acquisition 
documents. 

T0329 

Follow software and systems engineering life cycle standards and processes. 

T0330 

Maintain assured message delivery systems. 

T0331 

Maintain incident tracking and solution database. 

T0332 

Notify designated managers, cyber incident responders, and cybersecurity service provider 
team members of suspected cyber incidents and articulate the event's history, status, and 
potential impact for further action in accordance with the organization's cyber incident 
response plan. 

T0333 

Perform cyber defense trend analysis and reporting. 

T0334 

Ensure that all systems components can be integrated and aligned (e.g., procedures, databases, 
policies, software, and hardware). 

T0335 

Build, install, configure, and test dedicated cyber defense hardware. 

T0336 

Withdrawn: Integrated with T0228 

T0337 

Supervise and assign work to programmers, designers, technologists and technicians and other 
engineering and scientific personnel. 

T0338 

Write detailed functional specifications that document the architecture development process. 

T0339 

Leads efforts to promote the organization's use of knowledge management and information 
sharing. 

T0340 

Act as a primary stakeholder in the underlying information technology (IT) operational 
processes and functions that support the service, provide direction and monitor all significant 
activities so the service is delivered successfully. 
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T0341 

Advocate for adequate funding for cyber training resources, to include both internal and 
industry-provided courses, instructors, and related materials. 

T0342 

Analyze data sources to provide actionable recommendations. 

T0343 

Analyze the crisis situation to ensure public, personal, and resource protection. 

T0344 

Assess all the configuration management (change configuration/release management) 
processes. 

T0345 

Assess effectiveness and efficiency of instruction according to ease of instructional technology 
use and student learning, knowledge transfer, and satisfaction. 

T0346 

Assess the behavior of the individual victim, witness, or suspect as it relates to the 
investigation. 

T0347 

Assess the validity of source data and subsequent findings. 

T0348 

Assist in assessing the impact of implementing and sustaining a dedicated cyber defense 
infrastructure. 

T0349 

Collect metrics and trending data. 

T0350 

Conduct a market analysis to identify, assess, and recommend commercial, GOTS, and open 
source products for use within a system and ensure recommended products are in compliance 
with organization's evaluation and validation requirements. 

T0351 

Conduct hypothesis testing using statistical processes. 

T0352 

Conduct learning needs assessments and identify requirements. 

T0353 

Confer with systems analysts, engineers, programmers and others to design application. 

T0354 

Coordinate and manage the overall service provided to a customer end-to-end. 

T0355 

Coordinate with internal and external subject matter experts to ensure existing qualification 
standards reflect organizational functional requirements and meet industry standards. 

T0356 

Coordinate with organizational manpower stakeholders to ensure appropriate allocation and 
distribution of human capital assets. 

T0357 

Create interactive learning exercises to create an effective learning environment. 

T0358 

Design and develop system administration and management functionality for privileged access 
users. 

T0359 

Design, implement, test, and evaluate secure interfaces between information systems, physical 
systems, and/or embedded technologies. 

T0360 

Determine the extent of threats and recommend courses of action or countermeasures to 
mitigate risks. 

T0361 

Develop and facilitate data-gathering methods. 

T0362 

Develop and implement standardized position descriptions based on established cyber work 
roles. 

T0363 

Develop and review recruiting, hiring, and retention procedures in accordance with current 
Human Resource (HR) policies. 

T0364 

Develop cyber career field classification structure to include establishing career field entry 
requirements and other nomenclature such as codes and identifiers. 

T0365 

Develop or assist in the development of training policies and protocols for cyber training. 

T0366 

Develop strategic insights from large data sets. 

T0367 

Develop the goals and objectives for cyber curriculum. 

T0368 

Ensure cyber career fields are managed in accordance with organizational Human Resource 
(HR) policies and directives. 

T0369 

Ensure cyber workforce management policies and processes comply with legal and 
organizational requirements regarding equal opportunity, diversity, and fair 
hiring/employment practices. 
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T0370 

Ensure that appropriate Service Level Agreements (SLAs) and underpinning contracts have 
been defined that clearly set out for the customer a description of the service and the measures 
for monitoring the service. 

T0371 

Establish acceptable limits for the software application, network, or system. 

T0372 

Establish and collect metrics to monitor and validate cyber workforce readiness including 
analysis of cyber workforce data to assess the status of positions identified, filled, and filled 
with qualified personnel. 

T0373 

Establish and oversee waiver processes for cyber career field entry and training qualification 
requirements. 

T0374 

Establish cyber career paths to allow career progression, deliberate development, and growth 
within and between cyber career fields. 

T0375 

Establish manpower, personnel, and qualification data element standards to support cyber 
workforce management and reporting requirements. 

T0376 

Establish, resource, implement, and assess cyber workforce management programs in 
accordance with organizational requirements. 

T0377 

Gather feedback on customer satisfaction and internal service performance to foster continual 
improvement. 

T0378 

Incorporates risk-driven systems maintenance updates process to address system deficiencies 
(periodically and out of cycle). 

T0379 

Manage the internal relationship with information technology (IT) process owners supporting 
the service, assisting with the definition and agreement of Operating Level Agreements 
(OI.As). 

T0380 

Plan instructional strategies such as lectures, demonstrations, interactive exercises, multimedia 
presentations, video courses, web-based courses for most effective learning environment in 
conjunction with educators and trainers. 

T0381 

Present technical information to technical and non-technical audiences. 

T0382 

Present data in creative formats. 

T0383 

Program custom algorithms. 

T0384 

Promote awareness of cyber policy and strategy as appropriate among management and ensure 
sound principles are reflected in the organization's mission, vision, and goals. 

T0385 

Provide actionable recommendations to critical stakeholders based on data analysis and 
findings. 

T0386 

Provide criminal investigative support to trial counsel during the judicial process. 

T0387 

Review and apply cyber career field qualification standards. 

T0388 

Review and apply organizational policies related to or having an effect on the cyber 
workforce. 

T0389 

Review service performance reports identifying any significant issues and variances, 
initiating, where necessary, corrective actions and ensuring that all outstanding issues are 
followed up. 

T0390 

Review/Assess cyber workforce effectiveness to adjust skill and/or qualification standards. 

T0391 

Support integration of qualified cyber workforce personnel into information systems lifecycle 
development processes. 

T0392 

Utilize technical documentation or resources to implement a new mathematical, data science, 
or computer science method. 

T0393 

Validate specifications and requirements for testability. 

T0394 

Work with other service managers and product owners to balance and prioritize services to 
meet overall customer requirements, constraints, and objectives. 

T0395 

Write and publish after action reviews. 

T0396 

Process image with appropriate tools depending on analyst’s goals. 


44 





NIST SP 800-181 (Draft) 


NICE Cybersecurity Workforce Framework (NCWF) 


Task 

Task Description 

T0397 

Perform Windows registry analysis. 

T0398 

Perform file and registry monitoring on the running system after identifying intrusion via 
dynamic analysis. 

T0399 

Enter media information into tracking database (e.g. Product Tracker Tool) for digital media 
that has been acquired. 

T0400 

Correlate incident data and perform cyber defense reporting. 

T0401 

Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) 
to support IRT mission. 

T0402 

Effectively allocate storage capacity in the design of data management systems. 

T0403 

Read, interpret, write, modify, and execute simple scripts (e.g., PERL, VBS) on Windows and 
UNIX systems (e.g., those that perform tasks such as: parsing large data files, automating 
manual tasks, and fetching/processing remote data). 

T0404 

Utilize different programming languages to write code, open files, read files, and write output 
to different files. 

T0405 

Utilize opens source language such as R and apply quantitative techniques (e.g., descriptive 
and inferential statistics, sampling, experimental design, parametric and non-parametric tests 
of difference, ordinary least squares regression, general line). 

T0406 

Ensure design and development activities are properly documented (providing a functional 
description of implementation) and updated as necessary. 

T0407 

Participate in the acquisition process as necessary. 

T0408 

Interpret and apply applicable laws, statutes, and regulatory documents and integrate into 
policy. 

T0409 

Troubleshoot prototype design and process issues throughout the product design, 
development, and pre-launch phases. 

T0410 

Identify functional- and security-related features to find opportunities for new capability 
development to exploit or mitigate vulnerabilities. 

T0411 

Identify and/or develop reverse engineering tools to enhance capabilities and detect 
vulnerabilities. 

T0412 

Conduct import/export reviews for acquiring systems and software. 

T0413 

Develop data management capabilities (e.g., cloud based, centralized cryptographic key 
management) to include support to the mobile workforce. 

T0414 

Develop supply chain, system, network, performance, and cyber security requirements. 

T0415 

Ensure supply chain, system, network, performance, and cyber security requirements are 
included in contract language and delivered. 

T0416 

Enable applications with public keying by leveraging existing public key infrastructure (PKI) 
libraries and incorporating certificate management and encryption functionalities when 
appropriate. 

T0417 

Identify and leverage the enterprise-wide security services while designing and developing 
secure applications (e.g., Enteiprise PKI, Federated Identity server. Enterprise Anti-Virus 
solution) when appropriate. 

T0418 

Install, update, and troubleshoot systems/servers. 

T0419 

Acquire and maintain a working knowledge of constitutional issues relevant laws, regulations, 
policies, agreements, standards, procedures, or other issuances. 

T0420 

Administer test bed(s), and test and evaluate applications, hardware infrastructure, 
rules/signatures, access controls, and configurations of platforms managed by service 
provider(s). 

T0421 

Manage the indexing/cataloguing, storage, and access of explicit organizational knowledge 
(e.g., hard copy documents, digital files). 

T0422 

Implement data management standards, requirements, and specifications. 
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T0423 

Analyze computer-generated threats for counter intelligence or criminal activity. 

T0424 

Analyze and provide information to stakeholders that will support the development of security 
application or modification of an existing security application. 

T0425 

Analyze organizational cyber policy. 

T0426 

Analyze the results of software, hardware, or interoperability testing. 

T0427 

Analyze user needs and requirements to plan architecture. 

T0428 

Analyze security needs and software requirements to determine feasibility of design within 
time and cost constraints and security mandates. 

T0429 

Assess policy needs and collaborate with stakeholders to develop policies to govern cyber 
activities. 

T0430 

Gather and preserve evidence used on the prosecution of computer crimes. 

T0431 

Check system hardware availability, functionality, integrity, and efficiency. 

T0432 

Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) 
and use discovered data to enable mitigation of potential cyber defense incidents within the 
enterprise. 

T0433 

Conduct analysis of log files, evidence, and other information in order to determine best 
methods for identifying the peipetrator(s) of a network intrusion or other crimes. 

T0434 

Conduct framing of pleadings to properly identify alleged violations of law, regulations, or 
policy/guidance. 

T0435 

Conduct periodic system maintenance including cleaning (both physically and electronically), 
disk checks, routine reboots, data dumps, and testing. 

T0436 

Conduct trial runs of programs and software applications to ensure the desired information is 
produced and instructions and security levels are correct. 

T0437 

Correlates training and learning to business or mission requirements. 

T0438 

Create, edit, and manage network access control lists on specialized cyber defense systems 
(e.g., firewalls and intrusion prevention systems). 

T0439 

Detect and analyze encrypted data, stenography, alternate data streams and other forms of 
concealed data. 

T0440 

Captures and integrates essential system capabilities or business functions required for partial 
or full system restoration after a catastrophic failure event. 

T0441 

Define and integrate current and future mission environments. 

T0442 

Create training courses tailored to the audience and physical environment. 

T0443 

Deliver training courses tailored to the audience and physical/virtual environments. 

T0444 

Apply concepts, procedures, software, equipment, and/or technology applications to students. 

T0445 

Design/integrate a cyber strategy that outlines the vision, mission, and goals that align with the 
organization’s strategic plan. 

T0446 

Design, develop, integrate, and update system security measures that provide confidentiality, 
integrity, availability, authentication, and non-repudiation. 

T0447 

Design hardware, operating systems, and software applications to adequately address 
requirements. 

T0448 

Develop enterprise architecture or system components required to meet user needs. 

T0449 

Design to security requirements to ensure requirements are met for all systems and/or 
applications. 

T0450 

Design training curriculum and course content based on requirements. 

T0451 

Participate in development of training curriculum and course content. 

T0452 

Design, build, implement, and maintain a knowledge management framework that provides 
end-users access to the organization’s intellectual capital. 

T0453 

Determine and develop leads and identify sources of information in order to identify and/or 
prosecute the responsible parties to an intrusion or other crimes. 
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T0454 

Define baseline security requirements in accordance with applicable guidelines. 

T0455 

Develop software system testing and validation procedures, programming, and documentation. 

T0456 

Develop secure software testing and validation procedures. 

T0457 

Develop system testing and validation procedures, programming, and documentation. 

T0458 

Comply with organization systems administration standard operating procedures. 

T0459 

Implement data mining and data warehousing applications. 

T0460 

Develop and implement data mining and data warehousing programs. 

T0461 

Implement and enforce local network usage policies and procedures. 

T0462 

Develop procedures and test fail-over for system operations transfer to an alternate site based 
on system availability requirements. 

T0463 

Develop cost estimates for new or modified system(s). 

T0464 

Develop detailed design documentation for component and interface specifications to support 
system design and development. 

T0465 

Develop guidelines for implementation. 

T0466 

Develop mitigation strategies to address cost, schedule, performance, and security risks. 

T0467 

Ensure training meets the goals and objectives for cybersecurity training, education, or 
awareness. 

T0468 

Diagnose and resolve customer reported system incidents, problems, and events. 

T0469 

Analyze and report organizational security posture trends. 

T0470 

Analyze and report system security posture trends. 

T0471 

Document original condition of digital and/or associated evidence (e.g., via digital 
photographs, written reports, hash function checking). 

T0472 

Draft, staff, and publish cyber policy. 

T0473 

Document and update as necessary all definition and architecture activities. 

T0474 

Provide legal analysis and decisions to inspector generals, privacy officers, oversight and 
compliance personnel with regard to compliance with cybersecurity policies and relevant legal 
and regulatory requirements. 

T0475 

Assess adequate access controls based on principles of least privilege and need-to-know. 

T0476 

Evaluate the impact of changes to laws, regulations, policies, standards, or procedures. 

T0477 

Ensure the execution of disaster recovery and continuity of operations. 

T0478 

Provide guidance on laws, regulations, policies, standards, or procedures to management, 
personnel, or clients. 

T0479 

Employ information technology (IT) systems and digital storage media to solve, investigate, 
and/or prosecute cybercrimes and fraud committed against people and property. 

T0480 

Identify components or elements, allocate comprehensive functional components to include 
security functions, and describe the relationships between the elements. 

T0481 

Identify and address cyber workforce planning and management issues (e.g. recruitment, 
retention, and training). 

T0482 

Make recommendations based on trend analysis for enhancements to software and hardware 
solutions to enhance customer experience. 

T0483 

Identify potential conflicts with implementation of any cyber defense tools (e.g., tool and 
signature testing and optimization). 

T0484 

Document the protection needs (i.e., security controls) for the information system(s) and 
network(s) and document appropriately. 

T0485 

Implement security measures to resolve vulnerabilities, mitigate risks and recommend security 
changes to system or system components as needed. 
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T0486 

Implement Risk Management Framework (RMF)/Security Assessment and Authorization 
(SA&A) requirements for dedicated cyber defense systems within the enterprise, and 
document and maintain records for them. 

T0487 

Facilitate implementation of new or revised laws, regulations, executive orders, policies, 
standards, or procedures. 

T0488 

Implement designs for new or existing system(s). 

T0489 

Implement system security measures in accordance with established procedures to ensure 
confidentiality, integrity, availability, authentication, and non-repudiation. 

T0490 

Install and configure database management systems and software. 

T0491 

Install and configure hardware, software, and peripheral equipment for system users in 
accordance with organizational standards. 

T0492 

Ensure the integration and implementation of Cross-Domain Solutions (CDS) in a secure 
environment. 

T0493 

Lead and oversee budget, staffing, and contracting. 

T0494 

Administer accounts, network rights, and access to systems and equipment. 

T0495 

Manage Accreditation Packages (e.g., ISO/IEC 15026-2). 

T0496 

Perform asset management/inventory of information technology (IT) resources. 

T0497 

Manage the information technology (IT) planning process to ensure that developed solutions 
meet customer requirements. 

T0498 

Manage system/server resources including performance, capacity, availability, serviceability, 
and recoverability. 

T0499 

Mitigate/correct security deficiencies identified during security/certification testing and/or 
recommend risk acceptance for the appropriate senior leader or authorized representative. 

T0500 

Modify and maintain existing software to correct errors, to adapt it to new hardware, or to 
upgrade interfaces and improve performance. 

T0501 

Monitor and maintain system/server configuration. 

T0502 

Monitor and report client-level computer system performance. 

T0503 

Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency 

Response Teams, Security Focus) to maintain currency of cyber defense threat condition and 
determine which security issues may have an impact on the enterprise. 

T0504 

Assess and monitor cybersecurity related to system implementation and testing practices. 

T0505 

Monitor the rigorous application of cyber policies, principles, and practices in the delivery of 
planning and management services. 

T0506 

Seek consensus on proposed policy changes from stakeholders. 

T0507 

Oversee installation, implementation, configuration, and support of system components. 

T0508 

Verify minimum security requirements are in place for all applications. 

T0509 

Perform an information security risk assessment. 

T0510 

Coordinate incident response functions. 

T0511 

Perform developmental testing on systems under development. 

T0512 

Perform interoperability testing on systems exchanging electronic information with other 
systems. 

T0513 

Perform operational testing. 

T0514 

Diagnose faulty system/server hardware. 

T0515 

Perform repairs on faulty system/server hardware. 

T0516 

Perform secure program testing, review, and/or assessment to identify potential flaws in codes 
and mitigate vulnerabilities. 

T0517 

Integrate results regarding the identification of gaps in security architecture. 

T0518 

Perform security reviews and identify security gaps in architecture. 
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T0519 

Plan and coordinate the delivery of classroom techniques and formats (e.g., lectures, 
demonstrations, interactive exercises, multimedia presentations) for most effective learning 
environment. 

T0520 

Plan non-classroom educational techniques and formats (e.g., video courses, mentoring, web- 
based courses). 

T0521 

Plan implementation strategy to ensure enterprise components can be integrated and aligned. 

T0522 

Prepare legal and other relevant documents (e.g., depositions, briefs, affidavits, declarations, 
appeals, pleadings, discovery). 

T0523 

Prepare reports to document the investigation following legal standards and requirements. 

T0524 

Promote knowledge sharing between information owners/users through an organization’s 
operational processes and systems. 

T0525 

Provide enterprise cybersecurity and supply chain risk management guidance. 

T0526 

Provides cybersecurity recommendations to leadership based on significant threats and 
vulnerabilities. 

T0527 

Provide input to implementation plans and standard operating procedures as they relate to 
information systems security. 

T0528 

Provide input to implementation plans, standard operating procedures, maintenance 
documentation, and maintenance training materials 

T0529 

Provide policy guidance to cyber management, staff, and users. 

T0530 

Develop a trend analysis and impact report. 

T0531 

Troubleshoot hardware/software interface and interoperability problems. 

T0532 

Review forensic images and other data sources (e.g., volatile data) for recovery of potentially 
relevant information. 

T0533 

Review, conduct, or participate in audits of cyber programs and projects. 

T0534 

Conduct periodic reviews/revisions of course content for accuracy, completeness alignment, 
and currency (e.g., course content documents, lesson plans, student texts, examinations, 
schedules of instruction, and course descriptions). 

T0535 

Recommend revisions to curriculum end course content based on feedback from previous 
training sessions. 

T0536 

Serve as an internal consultant and advisor in own area of expertise (e.g., technical, copyright, 
print media, electronic media). 

T0537 

Support the CIO in the formulation of cyber-related policies. 

T0538 

Provide support to test and evaluation activities. 

T0539 

Test, evaluate, and verify hardware and/or software to determine compliance with defined 
specifications and requirements. 

T0540 

Record and manage test data. 

T0541 

Trace system requirements to design components and perform gap analysis. 

T0542 

Translate proposed capabilities into technical requirements. 

T0543 

Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis. 

T0544 

Verify stability, interoperability, portability, and/or scalability of system architecture. 

T0545 

Work with stakeholders to resolve computer security incidents and vulnerability compliance. 

T0546 

Write and publish cyber defense recommendations, reports, and white papers on incident 
findings to appropriate constituencies. 

T0547 

Research and evaluate available technologies and standards to meet customer requirements. 

T0548 

Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations 
Plans. 

T0549 

Perform technical (evaluation of technology) and non-technical (evaluation of people and 
operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local 
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computing environment, network and infrastructure, enclave boundary, supporting 
infrastructure, and applications). 

T0550 

Make recommendations regarding the selection of cost-effective security controls to mitigate 
risk (e.g., protection of information, systems and processes). 

T0551 

Draft and publish supply chain security and risk management documents. 

T0552 

Review and approve a supply chain security/risk management policy. 

T0553 

Apply cybersecurity functions (e.g., encryption, access control, and identity management) to 
reduce exploitation opportunities. 

T0554 

Determine and document software patches or the extent of releases that would leave software 
vulnerable. 

T0555 

Document how the implementation of a new system or new interface between systems impacts 
the current and target environment including but not limited to security posture. 

T0556 

Assess and design security management functions as related to cyberspace. 

T0557 

Integrate key management functions as related to cyberspace. 

T0558 

Analyze user needs and requirements to plan and conduct system development. 

T0559 

Develop designs to meet specific operational needs and environmental factors (e.g., access 
controls, automated applications, networked operations. 

T0560 

Collaborate on cybersecurity designs to meet specific operational needs and environmental 
factors (e.g., access controls, automated applications, networked operations, high integrity and 
availability requirements, multilevel security/processing of multiple classification levels, and 
processing Sensitive Compartmented Information). 

T0561 

Accurately characterize targets. 

T0562 

Adjust collection operations or collection plan to address identified issues/challenges and to 
synchronize collections with overall operational requirements. 

T0563 

Provide input to the analysis, design, development or acquisition of capabilities used for 
meeting objectives. 

T0564 

Analyze feedback to determine extent to which collection products and services are meeting 
requirements. 

T0565 

Analyze incoming collection requests. 

T0566 

Analyze own operational architecture, tools, and procedures for ways to improve performance. 

T0567 

Analyze target operational architecture for ways to gain access. 

T0568 

Analyze plans, directives, guidance and policy for factors that would influence collection 
management's operational structure and requirement s (e.g., duration, scope, communication 
requirements, interagency/intemational agreements). 

T0569 

Answer requests for information. 

T0570 

Apply and utilize authorized cyber capabilities to enable access to targeted networks. 

T0571 

Apply expertise in policy and processes to facilitate the development, negotiation, and internal 
staffing of plans and/or memorandums of agreement. 

T0572 

Apply cyber collection, environment preparation and engagement expertise to enable new 
exploitation and/or continued collection operations, or in support of customer requirements. 

T0573 

Assess and apply operational environment factors and risks to collection management process. 

T0574 

Apply and obey applicable statutes, laws, regulations and policies. 

T0575 

Coordinate for intelligence support to operational planning activities. 

T0576 

Assess all-source intelligence and recommend targets to support cyber operation objectives. 

T0577 

Assess efficiency of existing information exchange and management systems. 

T0578 

Assess performance of collection assets against prescribed specifications. 

T0579 

Assess target vulnerabilities and/or operational capabilities to determine course of action. 
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T0580 

Assess the effectiveness of collections in satisfying priority information gaps, using available 
capabilities and methods, and then adjust collection strategies and collection requirements 
accordingly. 

T0581 

Assist and advise inter-agency partners in identifying and developing best practices for 
facilitating operational support to achievement of organization objectives. 

T0582 

Provide expertise to course of action development. 

T0583 

Provide subject matter expertise to the development of a common operational picture. 

T0584 

Maintain a common intelligence picture. 

T0585 

Provide subject matter expertise to the development of cyber operations specific indicators. 

T0586 

Assist in the coordination, validation, and management of all-source collection requirements, 
plans, and/or activities. 

T0587 

Assist in the development and refinement of priority information requirements. 

T0588 

Provide expertise to the development of measures of effectiveness and measures of 
performance. 

T0589 

Assist in the identification of intelligence collection shortfalls. 

T0590 

Enable synchronization of intelligence support plans across partner organizations as required. 

T0591 

Perform analysis for target infrastructure exploitation activities. 

T0592 

Provide input to the identification of cyber-related success criteria. 

T0593 

Brief threat and/or target current situations. 

T0594 

Build and maintain electronic target folders. 

T0595 

Classify documents in accordance with classification guidelines. 

T0596 

Close requests for information once satisfied. 

T0597 

Collaborate with intelligence analysts/targeting organizations involved in related areas. 

T0598 

Collaborate with development organizations to create and deploy the tools needed to achieve 
objectives. 

T0599 

Collaborate with other customer, Intelligence and targeting organizations involved in related 
cyber areas. 

T0600 

Collaborate with other internal and external partner organizations on target access and 
operational issues. 

T0601 

Collaborate with other team members or partner organizations to develop a diverse program of 
information materials (e.g., web pages, briefings, print materials). 

T0602 

Collaborates with customer to define information requirements. 

T0603 

Communicate new developments, breakthroughs, challenges and lessons learned to leadership, 
and internal and external customers. 

T0604 

Compare allocated and available assets to collection demand as expressed through 
requirements. 

T0605 

Compile lessons learned from collection management activity's execution of organization 
collection objectives. 

T0606 

Compile, integrate, and/or interpret all-source data for intelligence or vulnerability value with 
respect to specific targets. 

T0607 

Identify and conduct analysis of target communications to identify information essential to 
support operations. 

T0608 

Conduct analysis of physical and logical digital technologies (e.g., wireless, SCAD A, 
telecom) to identify potential avenues of access. 

T0609 

Conduct access enabling of wireless computer and digital networks. 

T0610 

Conduct collection and processing of wireless computer and digital networks. 

T0611 

Conduct end-of-operations assessments. 

T0612 

Conduct exploitation of wireless computer and digital networks. 
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T0613 

Conduct formal and informal coordination of collection requirements in accordance with 
established guidelines and procedures. 

T0614 

Conduct independent in-depth target and technical analysis including target-specific 
information (e.g., cultural, organizational, political) that results in access. 

T0615 

Conduct in-depth research and analysis. 

T0616 

Conduct network scouting and vulnerability analyses of systems within a network. 

T0617 

Conduct nodal analysis. 

T0618 

Conduct on-net activities to control and exfiltrate data from deployed technologies. 

T0619 

Conduct on-net and off-net activities to control, and exfiltrate data from deployed, automated 
technologies. 

T0620 

Conduct open source data collection via various online tools. 

T0621 

Conduct quality control in order to determine validity and relevance of information gathered 
about networks. 

T0622 

Develop, review and implement all levels of planning guidance in support of cyber operations. 

T0623 

Conduct survey of computer and digital networks. 

T0624 

Conduct target research and analysis. 

T0625 

Consider efficiency and effectiveness of collection assets and resources if/when applied 
against priority information requirements. 

T0626 

Construct collection plans and matrixes using established guidance and procedures. 

T0627 

Contribute to crisis action planning for cyber operations. 

T0628 

Contribute to the development of the organization's decision support tools if necessary. 

T0629 

Contribute to the development, staffing, and coordination of cyber operations policies, 
performance standards, plans and approval packages with appropriate internal and/or external 
decision makers. 

T0630 

Incorporate intelligence equities into the overall design of cyber operations plans. 

T0631 

Coordinate resource allocation of collection assets against prioritized collection requirements 
with collection discipline leads. 

T0632 

Coordinate inclusion of collection plan in appropriate documentation. 

T0633 

Coordinate target vetting with appropriate partners. 

T0634 

Re-task or re-direct collection assets and resources. 

T0635 

Coordinate with intelligence and cyber defense partners to obtain relevant essential 
information. 

T0636 

Coordinate with intelligence planners to ensure collection managers receive information 
requirements. 

T0637 

Coordinate with the intelligence planning team to assess capability to satisfy assigned 
intelligence tasks. 

T0638 

Coordinate, produce and track intelligence requirements. 

T0639 

Coordinate, synchronize and draft applicable intelligence sections of cyber operations plans. 

T0640 

Uses intelligence estimates to counter potential target actions. 

T0641 

Create comprehensive exploitation strategies that identify exploitable technical or operational 
vulnerabilities. 

T0642 

Maintain awareness of internal and external cyber organization structures, strengths, and 
employments of staffing and technology. 

T0643 

Deploy tools to a target and utilize them once deployed (e.g., backdoors, sniffers). 

T0644 

Detect exploits against targeted networks and hosts and react accordingly. 

T0645 

Determine course of action for addressing changes to objectives, guidance, and operational 
environment. 

T0646 

Determine existing collection management webpage databases, libraries and storehouses. 
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T0647 

Determine how identified factors affect the tasking, collection, processing, exploitation and 
dissemination architecture's form and function. 

T0648 

Determine indicators (e.g., measures of effectiveness) that are best suited to specific cyber 
operation objectives. 

T0649 

Determine organizations and/or echelons with collection authority over all accessible 
collection assets. 

T0650 

Determine what technologies are used by a given target. 

T0651 

Develop a method for comparing collection reports to outstanding requirements to identify 
information gaps. 

T0652 

Develop all-source intelligence targeting materials. 

T0653 

Apply analytic techniques to gain more target information. 

T0654 

Develop and maintain deliberate and/or crisis plans. 

T0655 

Develop and review specific cyber operations guidance for integration into broader planning 
activities. 

T0656 

Develop and review intelligence guidance for integration into supporting cyber operations 
planning and execution. 

T0657 

Develop coordinating instructions by collection discipline for each phase of an operation. 

T0658 

Develop cyber operations plans and guidance to ensure that execution and resource allocation 
decisions align with organization objectives. 

T0659 

Develop detailed intelligence support to cyber operations requirements. 

T0660 

Develop information requirements necessary for answering priority information requests. 

T0661 

Develop measures of effectiveness and measures of performance. 

T0662 

Allocate collection assets based on leadership's guidance, priorities, and/or operational 
emphasis. 

T0663 

Develop munitions effectiveness assessment or operational assessment materials. 

T0664 

Develop new techniques for gaining and keeping access to target systems. 

T0665 

Develop or participate in the development of standards for providing, requesting, and/or 
obtaining support from external partners to synchronize cyber operations. 

T0666 

Develop or shape international cyber engagement strategies, policies, and activities to meet 
organization objectives. 

T0667 

Develop potential courses of action. 

T0668 

Develop procedures for providing feedback to collection managers, asset managers, and 
processing, exploitation and dissemination centers. 

T0669 

Develop strategy and processes for partner planning, operations, and capability development. 

T0670 

Develop, implement, and recommend changes to appropriate planning procedures and 
policies. 

T0671 

Develop, maintain, and assess cyber cooperation security agreements with external partners. 

T0672 

Devise, document, and validate cyber operation strategy, and planning documents. 

T0673 

Disseminate reports to inform decision makers on collection issues. 

T0674 

Disseminate tasking messages and collection plans. 

T0675 

Conduct and document an assessment of the collection results using established procedures. 

T0676 

Draft cyber intelligence collection and production requirements. 

T0677 

Edit or execute simple scripts (e.g., PERL, VBS) on Windows and UNIX systems. 

T0678 

Engage customers to understand customers’ intelligence needs and wants. 

T0679 

Ensure operational planning efforts are effectively transitioned to current operations. 

T0680 

Ensure that intelligence planning activities are integrated and synchronized with operational 
planning timelines. 
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T0681 

Establish alternative processing, exploitation and dissemination pathways to address identified 
issues or problems. 

T0682 

Validate the link between collection requests and critical information requirements and 
priority intelligence requirements of leadership. 

T0683 

Establish processing, exploitation and dissemination management activity using approved 
guidance and/or procedures. 

T0684 

Estimate operational effects generated through cyber activities. 

T0685 

Evaluate threat decision-making processes. 

T0686 

Identify threat vulnerabilities. 

T0687 

Identify threats to Blue Force vulnerabilities. 

T0688 

Evaluate available capabilities against desired effects in order to recommend efficient 
solutions. 

T0689 

Evaluate extent to which collected information and/or produced intelligence satisfy 
information requests. 

T0690 

Evaluate intelligence estimates to support the planning cycle. 

T0691 

Evaluate the conditions that affect employment of available cyber intelligence capabilities. 

T0692 

Generate and evaluate the effectiveness of network analysis strategies. 

T0693 

Evaluate extent to which collection operations are synchronized with operational 
requirements. 

T0694 

Evaluate the effectiveness of collection operations against the collection plan. 

T0695 

Examine intercept-related metadata and content with an understanding of targeting 
significance. 

T0696 

Exploit network devices, security devices, and/or terminals or environments using various 
methods or tools. 

T0697 

Facilitate access enabling by physical and/or wireless means. 

T0698 

Facilitate continuously updated intelligence, surveillance, and visualization input to common 
operational picture managers. 

T0699 

Facilitate interactions between internal and external partner decision makers to synchronize 
and integrate courses of action in support of objectives. 

T0700 

Facilitate the sharing of “best practices” and “lessons learned” throughout the cyber operations 
community. 

T0701 

Collaborate with developers, conveying target and technical knowledge in tool requirements 
submissions, to enhance tool development. 

T0702 

Formulate collection strategies based on knowledge of available intelligence discipline 
capabilities and gathering methods that align multi-discipline collection capabilities and 
accesses with targets and their observables. 

T0703 

Gather and analyze data (e.g., measures of effectiveness) to determine effectiveness, and 
provide reporting for follow-on activities. 

T0704 

Incorporate cyber operations and communications security support plans into organization 
objectives. 

T0705 

Incorporate intelligence and counterintelligence to support plan development. 

T0706 

Gather information about networks through traditional and alternative techniques, (e.g., social 
network analysis, call-chaining, traffic analysis.) 

T0707 

Generate requests for information. 

T0708 

Identify threat tactics, and methodologies. 

T0709 

Identify all available partner intelligence capabilities and limitations supporting cyber 
operations. 

T0710 

Identify and evaluate threat critical capabilities, requirements, and vulnerabilities. 

T0711 

Identify, draft, evaluate, and prioritize relevant intelligence or information requirements. 
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T0712 

Identify and manage security cooperation priorities with external partners. 

T0713 

Identify and submit intelligence requirements for the purposes of designating priority 
information requirements. 

T0714 

Identify collaboration forums that can serve as mechanisms for coordinating processes, 
functions, and outputs with specified organizations and functional groups. 

T0715 

Identify collection gaps and potential collection strategies against targets. 

T0716 

Identify coordination requirements and procedures with designated collection authorities. 

T0717 

Identify critical target elements. 

T0718 

Identify intelligence gaps and shortfalls. 

T0719 

Identify cyber intelligence gaps and shortfalls. 

T0720 

Identify gaps in our understanding of target technology and developing innovative collection 
approaches. 

T0721 

Identify issues or problems that can disrupt and/or degrade processing, exploitation and 
dissemination architecture effectiveness. 

T0722 

Identify network components and their functionality to enable analysis and target 
development. 

T0723 

Identify potential collection disciplines for application against priority information 
requirements. 

T0724 

Identify potential points of strength and vulnerability within a network. 

T0725 

Identify and mitigate risks to collection management ability to support the plan, operations 
and target cycle. 

T0726 

Identify the need, scope, and timeframe for applicable intelligence environment preparation 
derived production. 

T0727 

Identify, locate, and track targets via geospatial analysis techniques. 

T0728 

Provide input to or develop courses of action based on threat factors. 

T0729 

Inform external partners of the potential effects of new or revised policy and guidance on 
cyber operations partnering activities. 

T0730 

Inform stakeholders (e.g., collection managers, asset managers, processing, exploitation and 
dissemination centers) of evaluation results using established procedures. 

T0731 

Initiate requests to guide tasking and assist with collection management. 

T0732 

Integrate cyber planning/targeting efforts with other organizations. 

T0733 

Interpret environment preparations assessments to determine a course of action. 

T0734 

Issue requests for information. 

T0735 

Lead and coordinate intelligence support to operational planning. 

T0736 

Lead or enable exploitation operations in support of organization objectives and target 
requirements. 

T0737 

Link priority collection requirements to optimal assets and resources. 


Maintain awareness of advancements in hardware and software technologies (e.g., attend 

T0738 

training or conferences, reading) and their potential implications. 

T0739 

Maintain relationships with internal and external partners involved in cyber planning or 
related areas. 

T0740 

Maintain situational awareness and functionality of organic operational infrastructure. 

T0741 

Maintain situational awareness of cyber-related intelligence requirements and associated 
tasking. 

T0742 

Maintain situational awareness of partner capabilities and activities. 

T0743 

Maintain situational awareness to determine if changes to the operating environment require 
review of the plan. 

T0744 

Maintain target lists (i.e., RTL, JTL, CTL, etc.). 
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T0745 

Make recommendations to guide collection in support of customer requirements. 

T0746 

Modify collection requirements as necessary. 

T0747 

Monitor and evaluate integrated cyber operations to identify opportunities to meet 
organization objectives. 

T0748 

Monitor and report changes in threat dispositions, activities, tactics, capabilities, objectives, 
etc. as related to designated cyber operations warning problem sets. 

T0749 

Monitor and report on validated threat activities. 

T0750 

Monitor completion of reallocated collection efforts. 

T0751 

Monitor open source websites for hostile content directed towards organizational or partner 
interests. 

T0752 

Monitor operational environment and report on adversarial activities which fulfill leadership’s 
priority information requirements. 

T0753 

Monitor operational status and effectiveness of the processing, exploitation and dissemination 
architecture. 

T0754 

Monitor target networks to provide indications and warning of target communications changes 
or processing failures. 

T0755 

Monitor the operational environment for potential factors and risks to the collection operation 
management process. 

T0756 

Operate and maintain automated systems for gaining and maintaining access to target systems. 

T0757 

Optimize mix of collection assets and resources to increase effectiveness and efficiency 
against essential information associated with priority intelligence requirements. 

T0758 

Produce timely, fused, all-source cyber operations intelligence and/or indications and 
warnings intelligence products (e.g., threat assessments, briefings, intelligence studies, country 
studies). 

T0759 

Contribute to the review and refinement of policy, to include assessments of the consequences 
of endorsing or not endorsing such policy. 

T0760 

Provide subject matter expertise to planning teams, coordination groups, and task forces as 
necessary. 

T0761 

Provide SME and support to planning/developmental forums and working groups as 
appropriate. 

T0762 

Provide subject matter expertise in course of action development. 

T0763 

Conduct long-range, strategic planning efforts with internal and external partners in cyber 
activities. 

T0764 

Provide subject matter expertise to planning efforts with internal and external cyber operations 
partners. 

T0765 

Provide subject matter expertise to development of exercises. 

T0766 

Propose policy which governs interactions with external coordination groups. 

T0767 

Perform content and/or metadata analysis to meet organization objectives. 

T0768 

Conduct cyber activities to degrade/remove information resident in computers and computer 
networks. 

T0769 

Perform targeting automation activities. 

T0770 

Develop website characterizations. 

T0771 

Provide subject matter expertise to website characterizations. 

T0772 

Prepare for and provide subject matter expertise to exercises. 

T0773 

Prioritize collection requirements for collection platforms based on platform capabilities. 

T0774 

Process exfiltrated data for analysis and/or dissemination to customers. 

T0775 

Produce network reconstructions. 

T0776 

Produce target system analysis products. 
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T0777 

Profile network or system administrators and their activities. 

T0778 

Profile targets and their activities. 

T0779 

Provide advice/assistance to operations and intelligence decision makers with reassignment of 
collection assets and resources in response to dynamic operational situations. 

T0780 

Provide advisory and advocacy support to promote collection planning as an integrated 
component of the strategic campaign plans and other adaptive plans. 

T0781 

Provide aim point and re-engagement recommendations. 

T0782 

Provide analyses and support for effectiveness assessment. 

T0783 

Provide current intelligence support to critical internal/external stakeholders as appropriate. 

T0784 

Provide cyber focused guidance and advice on intelligence support plan inputs. 

T0785 

Provide evaluation and feedback necessary for improving intelligence production, intelligence 
reporting, collection requirements, and operations. 

T0786 

Provide information and assessments for the purposes of informing leadership and customers; 
developing and refining objectives; supporting operation planning and execution; and 
assessing the effects of operations. 

T0787 

Provide input for the development and refinement of the cyber operations objectives, 
priorities, strategies, plans, and programs. 

T0788 

Provide input and assist in post-action effectiveness assessments. 

T0789 

Provide input and assist in the development of plans and guidance. 

T0790 

Provide input for targeting effectiveness assessments for leadership acceptance. 

T0791 

Provide input to the administrative and logistical elements of an operational support plan. 

T0792 

Provide intelligence analysis and support to designated exercises, planning activities, and time 
sensitive operations. 

T0793 

Provide effectiveness support to designated exercises, and/or time sensitive operations. 

T0794 

Provide operations and re-engagement recommendations. 

T0795 

Provide planning support between internal and external partners. 

T0796 

Provide real-time actionable geolocation information. 

T0797 

Provide target recommendations which meet leadership objectives. 

T0798 

Provide targeting products and targeting support as designated. 

T0799 

Provide time sensitive targeting support. 

T0800 

Provide timely notice of imminent or hostile intentions or activities which may impact 
organization objectives, resources, or capabilities. 

T0801 

Recommend refinement, adaption, termination, and execution of operational plans as 
appropriate. 

T0802 

Review appropriate information sources to determine validity and relevance of information 
gathered. 

T0803 

Reconstruct networks in diagram or report format. 

T0804 

Record information collection and/or environment preparation activities against targets during 
operations designed to achieve cyber effects. 

T0805 

Report intelligence-derived significant network events and intrusions. 

T0806 

Request discipline-specific processing, exploitation, and disseminate information collected 
using discipline's collection assets and resources in accordance with approved guidance and/or 
procedures. 

T0807 

Research communications trends in emerging technologies (in computer and telephony 
networks, satellite, cable, and wireless) in both open and classified sources. 

T0808 

Review and comprehend organizational leadership objectives and guidance for planning. 

T0809 

Review capabilities of allocated collection assets. 

T0810 

Review intelligence collection guidance for accuracy/applicability. 
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T0811 

Review list of prioritized collection requirements and essential information. 

T0812 

Review and update overarching collection plan, as required. 

T0813 

Review, approve, prioritize, and submit operational requirements for research, development, 
and/or acquisition of cyber capabilities. 

T0814 

Revise collection matrix based on availability of optimal assets and resources. 

T0815 

Sanitize and minimize information to protect sources and methods. 

T0816 

Scope the cyber intelligence planning effort. 

T0817 

Serve as a conduit of information from partner teams by identifying subject matter experts 
who can assist in the investigation of complex or unusual situations. 

T0818 

Serve as a liaison with external partners. 

T0819 

Solicit and manage to completion feedback from requestors on quality, timeliness, and 
effectiveness of collection against collection requirements. 

T0820 

Specify changes to collection plan and/or operational environment that necessitate re-tasking 
or re-directing of collection assets and resources. 

T0821 

Specify discipline-specific collections and/or taskings that must be executed in the near term. 

T0822 

Submit information requests to collection requirement management section for processing as 
collection requests. 

T0823 

Submit or respond to requests for deconfliction of cyber operations. 

T0824 

Support identification and documentation of collateral effects. 

T0825 

Synchronize cyber international engagement activities and associated resource requirements as 
appropriate. 

T0826 

Synchronize cyber portions of security cooperation plans. 

T0827 

Synchronize the integrated employment of all available organic and partner intelligence 
collection assets using available collaboration capabilities and techniques. 

T0828 

Test and evaluate locally developed tools for operational use. 

T0829 

Test internal developed tools and techniques against target tools. 

T0830 

Track status of information requests, including those processed as collection requests and 
production requirements, using established procedures. 

T0831 

Translate collection requests into applicable discipline-specific collection requirements. 

T0832 

Use feedback results (e.g., lesson learned) to identify opportunities to improve collection 
management efficiency and effectiveness. 

T0833 

Validate requests for information according to established criteria. 

T0834 

Work closely with planners, intelligence analysts, and collection managers to ensure 
intelligence requirements and collection plans are accurate and up-to-date. 

T0835 

Work closely with planners, analysts, and collection managers to identify intelligence gaps 
and ensure intelligence requirements are accurate and up-to-date. 

T0836 

Document lessons learned that convey the results of events and/or exercises. 

T0837 

Advise managers and operators on language and cultural issues that impact organization 
objectives. 

T0838 

Analyze and process information using language and/or cultural expertise. 

T0839 

Assess, document, and apply a target's motivation and/or frame of reference to facilitate 
analysis, targeting and collection opportunities. 

T0840 

Collaborate across internal and/or external organizational lines to enhance collection, analysis 
and dissemination. 

T0841 

Conduct all-source target research to include the use of open source materials in the target 
language. 

T0842 

Conduct analysis of target communications to identify essential information in support of 
organization objectives. 
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T0843 

Perform quality review and provide feedback on transcribed or translated materials. 

T0844 

Evaluate and interpret metadata to look for patterns, anomalies, or events, thereby optimizing 
targeting, analysis and processing. 

T0845 

Identify cyber threat tactics and methodologies. 

T0846 

Identify target communications within the global network. 

T0847 

Maintain awareness of target communication tools, techniques, and the characteristics of 
target communication networks (e.g., capacity, functionality, paths, critical nodes) and their 
potential implications for targeting, collection, and analysis. 

T0848 

Provide feedback to collection managers to enhance future collection and analysis. 

T0849 

Perform foreign language and dialect identification in initial source data. 

T0850 

Perform or support technical network analysis and mapping. 

T0851 

Provide requirements and feedback to optimize the development of language processing tools. 

T0852 

Perform social network analysis and document as appropriate. 

T0853 

Scan, identify and prioritize target graphic (including machine-to-machine communications) 
and/or voice language material. 

T0854 

Tip critical or time-sensitive information to appropriate customers. 

T0855 

Transcribe target voice materials in the target language. 

T0856 

Translate (e.g., verbatim, gists, and/or summaries) target graphic material. 

T0857 

Translate (e.g., verbatim, gists, and/or summaries) target voice material. 

T0858 

Identify foreign language terminology within computer programs (e.g., comments, variable 
names). 

T0859 

Provide near-real time language analysis support (e.g., live operations). 

T0860 

Identify cyber/technology-related terminology in the target language. 

T0861 

Work with the general counsel, external affairs and businesses to ensure both existing and new 
services comply with privacy and data security obligations. 

T0862 

Work with legal counsel and management, key departments and committees to ensure the 
organization has and maintains appropriate privacy and confidentiality consent, authorization 
forms and information notices and materials reflecting current organization and legal practices 
and requirements. 

T0863 

Coordinate with the appropriate regulating bodies to ensure that programs, policies and 
procedures involving civil rights, civil liberties and privacy considerations are addressed in an 
integrated and comprehensive manner. 

T0864 

Liaise with regulatory and accrediting bodies. 

T0865 

Work with external affairs to develop relationships with regulators and other government 
officials responsible for privacy and data security issues. 

T0866 

Maintain current knowledge of applicable federal and state privacy laws and accreditation 
standards, and monitor advancements in information privacy technologies to ensure 
organizational adaptation and compliance. 

T0867 

Ensure all processing and/or databases are registered with the local privacy/data protection 
authorities where required. 

T0868 

Work with business teams and senior management to ensure awareness of “best practices” on 
privacy and data security issues. 

T0869 

Work with organization senior management to establish an organization-wide Privacy 

Oversight Committee 

T0870 

Serve in a leadership role for Privacy Oversight Committee activities 

T0871 

Collaborate on cyber privacy and security policies and procedures 

T0872 

Collaborate with cyber security personnel on the security risk assessment process to address 
privacy compliance and risk mitigation 
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T0873 

Interface with Senior Management to develop strategic plans for the collection, use and 
sharing of information in a manner that maximizes its value while complying with applicable 
privacy regulations 

T0874 

Provide strategic guidance to corporate officers regarding information resources and 
technology 

T0875 

Assist the Security Officer with the development and implementation of an information 
infrastructure 

T0876 

Coordinate with the Corporate Compliance Officer re: procedures for documenting and 
reporting self-disclosures of any evidence of privacy violations. 

T0877 

Work cooperatively with applicable organization units in overseeing consumer information 
access rights 

T0878 

Serve as the information privacy liaison for users of technology systems 

T0879 

Act as a liaison to the information systems department 

T0880 

Develop privacy training materials and other communications to increase employee 
understanding of company privacy policies, data handling practices and procedures and legal 
obligations 

T0881 

Oversee, direct, deliver or ensure delivery of initial privacy training and orientation to all 
employees, volunteers, contractors, alliances, business associates and other appropriate third 
parties 

T0882 

Conduct on-going privacy training and awareness activities 

T0883 

Work with external affairs to develop relationships with consumer organizations and other 
NGOs with an interest in privacy and data security issues—and to manage company 
participation in public events related to privacy and data security 

T0884 

Work with organization administration, legal counsel and other related parties to represent the 
organization’s information privacy interests with external parties, including government 
bodies, which undertake to adopt or amend privacy legislation, regulation or standard. 

T0885 

Report on a periodic basis regarding the status of the privacy program to the Board, CEO or 
other responsible individual or committee 

T0886 

Work with External Affairs to respond to press and other inquiries with regard to concern over 
consumer and employee data 

T0887 

Provide leadership for the organization’s privacy program 

T0888 

Direct and oversee privacy specialists and coordinate privacy and data security programs with 
senior executives globally to ensure consistency across the organization 

T0889 

Ensure compliance with privacy practices and consistent application of sanctions for failure to 
comply with privacy policies for all individuals in the organization’s workforce, extended 
workforce and for all business associates in cooperation with Human Resources, the 
information security officer, administration and legal counsel as applicable 

T0890 

Develop appropriate sanctions for failure to comply with the corporate privacy policies and 
procedures 

T0891 

Resolve allegations of non-compliance with the corporate privacy policies or notice of 
information practices 

T0892 

Develop and coordinate a risk management and compliance framework for privacy 

T0893 

Undertake a comprehensive review of the company’s data and privacy projects and ensure that 
they are consistent with coiporate privacy and data security goals and policies. 

T0894 

Develop and manage enterprise-wide procedures to ensure the development of new products 
and services is consistent with company privacy policies and legal obligations 

T0895 

Establish a process for receiving, documenting, tracking, investigating and taking action on all 
complaints concerning the organization’s privacy policies and procedures 
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T0896 

Establish with management and operations a mechanism to track access to protected health 
information, within the purview of the organization and as required by law and to allow 
qualified individuals to review or receive a report on such activity 

T0897 

Provide leadership in the planning, design and evaluation of privacy and security related 
projects 

T0898 

Establish an internal privacy audit program 

T0899 

Periodically revise the privacy program in light of changes in laws, regulatory or company 
policy 

T0900 

Provide development guidance and assist in the identification, implementation and 
maintenance of organization information privacy policies and procedures in coordination with 
organization management and administration and legal counsel 

T0901 

Assure that the use of technologies maintain, and do not erode, privacy protections on use, 
collection and disclosure of personal information 

T0902 

Monitor systems development and operations for security and privacy compliance 

T0903 

Conduct privacy impact assessments of proposed rules on the privacy of personal information, 
including the type of personal information collected and the number of people affected 

T0904 

Conduct periodic information privacy impact assessments and ongoing compliance monitoring 
activities in coordination with the organization’s other compliance and operational assessment 
functions 

T0905 

Review all system-related information security plans to ensure alignment between security and 
privacy practices 

T0906 

Work with all organization personnel involved with any aspect of release of protected 
information to ensure coordination with the organization’s policies, procedures and legal 
requirements 

T0907 

Account for and administer individual requests for release or disclosure of personal and/or 
protected information 

T0908 

Develop and manage procedures for vetting and auditing vendors for compliance with the 
privacy and data security policies and legal requirements 

T0909 

Participate in the implementation and ongoing compliance monitoring of all trading partner 
and business associate agreements, to ensure all privacy concerns, requirements and 
responsibilities are addressed 

T0910 

Act as, or work with, counsel relating to business partner contracts 

T0911 

Mitigate effects of a use or disclosure of personal information by employees or business 
partners 

T0912 

Develop and apply corrective action procedures 

T0913 

Administer action on all complaints concerning the organization’s privacy policies and 
procedures in coordination and collaboration with other similar functions and, when 
necessary, legal counsel 

T0914 

Support the organization’s privacy compliance program, working closely with the Privacy 
Officer, Chief Information Security Officer, and other business leaders to ensure compliance 
with federal and state privacy laws and regulations 

T0915 

Identify and correct potential company compliance gaps and/or areas of risk to ensure full 
compliance with privacy regulations 

T0916 

Manage privacy incidents and breaches in conjunction with the Privacy Officer, Chief 
Information Security Officer, legal counsel and the business units 

T0917 

Coordinate with the Chief Information Security Officer to ensure alignment between security 
and privacy practices 

T0918 

Establish, implement and maintains organization-wide policies and procedures to comply with 
privacy regulations 
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T0919 

Ensure that the company maintains appropriate privacy and confidentiality notices, consent 
and authorization forms, and materials 

T0920 

Develop and maintain appropriate communications and training to promote and educate all 
workforce members and members of the Board regarding privacy compliance issues and 
requirements, and the consequences of non-compliance 

T0921 

Determine business partner requirements related to the organization’s privacy program 

T0922 

Establish and administer a process for receiving, documenting, tracking, investigating and 
taking corrective action as appropriate on complaints concerning the company’s privacy 
policies and procedures 

T0923 

Cooperate with the relevant regulatory agencies and other legal entities, and organization 
officers, in any compliance reviews or investigations 

T0924 

Perform ongoing privacy compliance monitoring activities 

T0925 

Monitor advancements in information privacy technologies to ensure organization adoption 
and compliance 

T0926 

Develop or assist with the development of privacy training materials and other 
communications to increase employee understanding of company privacy policies, data 
handling practices and procedures and legal obligations 

T0927 

Appoint and guide a team of IT security experts 

T0928 

Collaborate with key stakeholders to establish a cybersecurity risk management program 


835 
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836 A.5 NCWF Knowledge Descriptions 

837 Table 6 provides a listing of specific knowledge that might be demonstrated by a person in a 

838 given cybersecurity position. Selected knowledge descriptions from this list are included in the 

839 Detailed Work Role Listing in Appendix B. Because the knowledge aspects have evolved over 

840 many years and are expected to continue to do so, they are not sorted in a particular order and 

841 will simply continue to grow sequentially. 

842 

843 Table 6 - NCWF Knowledge Descriptions 


ID 

Description 

K0001 

* Knowledge of computer networking concepts and protocols, and network security 
methodologies. 

K0002 

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 

K0003 

* Knowledge of national and international laws, regulations, policies, and ethics as they 
relate to cybersecurity. 

K0004 

* Knowledge of cybersecurity principles. 

K0005 

* Knowledge of cyber threats and vulnerabilities. 

K0006 

* Knowledge of specific operational impacts of cybersecurity lapses. 

K0007 

Knowledge of authentication, authorization, and access control methods. 

K0008 

Knowledge of applicable business processes and operations of customer organizations. 

K0009 

Knowledge of application vulnerabilities. 

K0010 

Knowledge of communication methods, principles, and concepts (e.g., crypto, dual hubs, 
time multiplexers) that support the network infrastructure. 

K0011 

Knowledge of capabilities and applications of network equipment including hubs, routers, 
switches, bridges, servers, transmission media, and related hardware. 

K0012 

Knowledge of capabilities and requirements analysis. 

K0013 

Knowledge of cyber defense and vulnerability assessment tools, including open source tools, 
and their capabilities. 

K0014 

Knowledge of complex data structures. 

K0015 

Knowledge of computer algorithms. 

K0016 

Knowledge of computer programming principles such as object-oriented design. 

K0017 

Knowledge of concepts and practices of processing digital forensic data. 

K0018 

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced 
Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange 
[IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data 
Encryption Standard [3DES]). 

K0019 

Knowledge of cryptography and cryptographic key management concepts. 

K0020 

Knowledge of data administration and data standardization policies and standards. 

K0021 

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts 
and tools. 

K0022 

Knowledge of data mining and data warehousing principles. 

K0023 

Knowledge of database management systems, query languages, table relationships, and 
views. 

K0024 

Knowledge of database systems. 

K0025 

Knowledge of digital rights management. 

K0026 

Knowledge of disaster recovery continuity of operations plans. 

K0027 

Knowledge of organization's enterprise information security architecture system. 

K0028 

Knowledge of organization's evaluation and validation requirements. 
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K0029 

Knowledge of organization's LAN/WAN pathways. 

K0030 

Knowledge of electrical engineering as applied to computer architecture, including circuit 
boards, processors, chips, and associated computer hardware. 

K0031 

Knowledge of enterprise messaging systems and associated software. 

K0032 

Knowledge of fault tolerance. 

K0033 

Knowledge of host/network access control mechanisms (e.g., access control list). 

K0034 

Knowledge of how network services and protocols interact to provide network 
communications. 

K0035 

Knowledge of how system components are installed, integrated, and optimized. 

K0036 

Knowledge of human-computer interaction principles. 

K0037 

Knowledge of the Security Assessment and Authorization process. 

K0038 

Knowledge of cybersecurity principles used to manage risks related to the use, processing, 
storage, and transmission of information or data. 

K0039 

Knowledge of cybersecurity principles and methods that apply to software development. 

K0040 

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. 

K0041 

Knowledge of incident categories, incident responses, and timelines for responses. 

K0042 

Knowledge of incident response and handling methodologies. 

K0043 

Knowledge of industry-standard and organizationally accepted analysis principles and 
methods. 

K0044 

Knowledge of cybersecurity principles and organizational requirements (relevant to 
confidentiality, integrity, availability, authentication, non-repudiation). 

K0045 

Knowledge of information security systems engineering principles. 

K0046 

Knowledge of intrusion detection methodologies and techniques for detecting host and 
network-based intrusions via intrusion detection technologies. 

K0047 

Knowledge of information technology (IT) architectural concepts and frameworks. 

K0048 

Knowledge of Risk Management Framework (RMF) requirements. 

K0049 

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, 
demilitarized zones, encryption). 

K0050 

Knowledge of local area and wide area networking principles and concepts including 
bandwidth management. 

K0051 

Knowledge of low-level computer languages (e.g., assembly languages). 

K0052 

Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and 
statistics. 

K0053 

Knowledge of measures or indicators of system performance and availability. 

K0054 

Knowledge of current industry methods for evaluating, implementing, and disseminating 
information technology (IT) security assessment, monitoring, detection, and remediation 
tools and procedures utilizing standards-based concepts and capabilities. 

K0055 

Knowledge of microprocessors. 

K0056 

Knowledge of network access, identity, and access management (e.g., public key 
infrastructure [PKI]). 

K0057 

Knowledge of network hardware devices and functions. 

K0058 

Knowledge of network traffic analysis methods. 

K0059 

Knowledge of new and emerging information technology (IT) and cybersecurity 
technologies. 

K0060 

Knowledge of operating systems. 

K0061 

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol 
[TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information 
Technology Infrastructure Library, current version [ITIL]). 
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K0062 

Knowledge of packet-level analysis. 

K0063 

Knowledge of parallel and distributed computing concepts. 

K0064 

Knowledge of performance tuning tools and techniques. 

K0065 

Knowledge of policy-based and risk adaptive access controls. 

K0066 

Knowledge of Privacy Impact Assessments. 

K0067 

Knowledge of process engineering concepts. 

K0068 

Knowledge of programming language structures and logic. 

K0069 

Knowledge of query languages such as SQL ( structured query language). 

K0070 

Knowledge of system and application security threats and vulnerabilities (e.g., buffer 
overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language 
[PL/SQL] and injections, race conditions, covert channel, replay, retum-oriented attacks, 
malicious code). 

K0071 

Knowledge of remote access technology concepts. 

K0072 

Knowledge of resource management principles and techniques. 

K0073 

Knowledge of secure configuration management techniques. 

K0074 

Knowledge of key concepts in security management (e.g., Release Management, Patch 
Management). 

K0075 

Knowledge of security system design tools, methods, and techniques. 

K0076 

Knowledge of server administration and systems engineering theories, concepts, and 
methods. 

K0077 

Knowledge of server and client operating systems. 

K0078 

Knowledge of server diagnostic tools and fault identification techniques. 

K0079 

Knowledge of software debugging principles. 

K0080 

Knowledge of software design tools, methods, and techniques. 

K0081 

Knowledge of software development models (e.g., Waterfall Model, Spiral Model). 

K0082 

Knowledge of software engineering. 

K0083 

Knowledge of sources, characteristics, and uses of the organization’s data assets. 

K0084 

Knowledge of structured analysis principles and methods. 

K0085 

Knowledge of system and application security threats and vulnerabilities. 

K0086 

Knowledge of system design tools, methods, and techniques, including automated systems 
analysis and design tools. 

K0087 

Knowledge of system software and organizational design standards, policies, and authorized 
approaches (e.g.. International Organization for Standardization [ISO] guidelines) relating to 
system design. 

K0088 

Knowledge of systems administration concepts. 

K0089 

Knowledge of systems diagnostic tools and fault identification techniques. 

K0090 

Knowledge of system life cycle management principles, including software security and 
usability. 

K0091 

Knowledge of systems testing and evaluation methods. 

K0092 

Knowledge of technology integration processes. 

K0093 

Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics 
Systems Link Budgeting, Add/Drop Multiplexers). 

K0094 

Knowledge of the capabilities and functionality associated with various content creation 
technologies (e.g., wikis, social networking, blogs). 

K0095 

Knowledge of the capabilities and functionality associated with various technologies for 
organizing and managing information (e.g., databases, bookmarking engines). 

K0096 

Knowledge of the capabilities and functionality of various collaborative technologies (e.g., 
groupware, SharePoint). 
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K0097 

Knowledge of the characteristics of physical and virtual data storage media. 

K0098 

Knowledge of the cyber defense Service Provider reporting structure and processes within 
one’s own organization. 

K0099 

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, 
Domain Name Server), and how they interact to provide network communications. 

KOI 00 

Knowledge of the enterprise information technology (IT) architecture. 

K0101 

Knowledge of the organization’s enterprise information technology (IT) goals and objectives. 

KOI 02 

Knowledge of the systems engineering process. 

KOI 03 

Knowledge of the type and frequency of routine maintenance needed to keep equipment 
functioning properly. 

KOI 04 

Knowledge of Virtual Private Network (VPN) security. 

KOI 05 

Knowledge of web services, including service-oriented architecture, Simple Object Access 
Protocol, and web service description language. 

KOI 06 

Knowledge of what constitutes a network attack and the relationship to both threats and 
vulnerabilities. 

KOI 07 

Knowledge of and experience in Insider Threat investigations, reporting, investigative tools 
and laws/regulations. 

KOI 08 

Knowledge of basic concepts, terminology, and operations of a wide range of 
communications media (computer and telephone networks, satellite, fiber, wireless). 

KOI 09 

Knowledge of basic physical computer components and architectures, including the functions 
of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). 

KOI 10 

Knowledge of common adversary tactics, techniques, and procedures in assigned area of 
responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging 
capabilities). 

KOI 11 

Knowledge of common network tools (e.g., ping, traceroute, nslookup) and interpret the 
information results. 

KOI 12 

Knowledge of defense-in-depth principles and network security architecture. 

KOI 13 

Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, 
WWAN). 

KOI 14 

Knowledge of electronic devices (e.g., computer systems/components, access control 
devices, digital cameras, electronic organizers, hard drives, memory cards, modems, network 
components, printers, removable storage devices, scanners, telephones, copiers, credit card 
skimmers, facsimile machines, global positioning systems [GPSs]). 

KOI 15 

Knowledge of emerging computer-based technology that has potential for exploitation by 
adversaries. 

KOI 16 

Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip). 

KOI 17 

Knowledge of file system implementations (e.g., New Technology File System [NTFS], File 
Allocation Table [FAT], File Extension [EXT]). 

KOI 18 

Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody). 

KOI 19 

Knowledge of hacking methodologies in Windows or Unix/Linux environment. 

KOI 20 

Knowledge of how information needs and collection requirements are translated, tracked, and 
prioritized across the extended enterprise. 

K0121 

Knowledge of information security program management and project management principles 
and techniques. 

KOI 22 

Knowledge of investigative implications of hardware. Operating Systems, and network 
technologies. 

KOI 23 

Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence). 

KOI 24 

Knowledge of multiple cognitive domains and appropriate tools and methods for learning in 
each domain. 
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KOI 25 

Knowledge of processes for collecting, packaging, transporting, and storing electronic 
evidence to avoid alteration, loss, physical damage, or destruction of data. 

KOI 26 

Knowledge of secure acquisitions (e.g., relevant Contracting Officer's Technical 

Representative [COTR] duties, secure procurement, supply chain risk management). 

KOI 27 

Knowledge of the nature and function of the relevant information structure (e.g., National 
Information Infrastructure). 

KOI 28 

Knowledge of types and collection of persistent data. 

KOI 29 

Knowledge of Unix command line (e.g., mkdir, mv, Is, passwd, grep). 

KOI 30 

Knowledge of virtualization technologies and virtual machine development and maintenance. 

K0131 

Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies. 

KOI 32 

Knowledge of which system files (e.g., log files, registry files, configuration files) contain 
relevant information and where to find those system files. 

KOI 33 

Knowledge of types of digital forensics data and how to recognize them. 

KOI 34 

Knowledge of deployable forensics. 

KOI 35 

Knowledge of web filtering technologies. 

KOI 36 

Knowledge of the capabilities of different electronic communication systems and methods 
(e.g., e-mail, VOIP, IM, web forums, Direct Video Broadcasts). 

KOI 37 

Knowledge of the range of existing networks (e.g., PBX, LANs, WANs, WIFI, SCADA). 

K0138 

Knowledge of Wi-Fi. 

KOI 39 

Knowledge of interpreted and compiled computer languages. 

KOI 40 

Knowledge of secure coding techniques. 

K0141 

Withdrawn - Integrated into K0420 

KOI 42 

Knowledge of collection management processes, capabilities, and limitations. 

KOI 43 

Knowledge of front-end collection systems, including network traffic collection, filtering, 
and selection. 

KOI 44 

Knowledge of social dynamics of computer attackers in a global context. 

KOI 45 

Knowledge of security event correlation tools. 

KOI 46 

Knowledge of the organization's core business/mission processes. 

KOI 47 

Knowledge of emerging security issues, risks, and vulnerabilities. 

KOI 48 

Knowledge of import/export control regulations and responsible agencies for the purposes of 
reducing supply chain risk. 

KOI 49 

Knowledge of organization's risk tolerance and/or risk management approach. 

KOI 50 

Knowledge of enterprise incident response program, roles, and responsibilities. 

K0151 

Knowledge of current and emerging threats/threat vectors. 

KOI 52 

Knowledge of software related information technology (IT) security principles and methods 
(e.g., modularization, layering, abstraction, data hiding, simplicity/minimization). 

KOI 53 

Knowledge of software quality assurance process. 

KOI 54 

Knowledge of supply chain risk management standards, processes, and practices. 

KOI 55 

Knowledge of electronic evidence law. 

KOI 56 

Knowledge of legal rules of evidence and court procedure. 

KOI 57 

Knowledge of cyber defense policies, procedures, and regulations. 

KOI 58 

Knowledge of organizational information technology (IT) user security policies (e.g., account 
creation, password rules, access control). 

KOI 59 

Knowledge of Voice over IP (VoIP). 

KOI 60 

Knowledge of the common attack vectors on the network layer. 

K0161 

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution). 
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KOI 62 

Knowledge of different operational threat environments (e.g., first generation [script kiddies], 
second generation [non- nation state sponsored], and third generation [nation state 
sponsored]). 

KOI 63 

Knowledge of critical information technology (IT) procurement requirements. 

KOI 64 

Knowledge of functionality, quality, and security requirements and how these will apply to 
specific items of supply (i.e., elements and processes). 

KOI 65 

Knowledge of risk threat assessment. 

KOI 66 

Knowledge of the nature and function of the relevant information structure. 

KOI 67 

Knowledge of basic system administration, network, and operating system hardening 
techniques. 

KOI 68 

Knowledge of applicable laws (e.g.. Electronic Communications Privacy Act, Foreign 
Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties 
and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential 

Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and 
procedures relevant to work performed. 

KOI 69 

Knowledge of information technology (IT) supply chain security and risk management 
policies, requirements, and procedures. 

KOI 70 

Knowledge of local specialized system requirements (e.g., critical infrastructure systems that 
may not use standard information technology [IT]) for safety, performance, and reliability. 

K0171 

Knowledge of hardware reverse engineering techniques. 

KOI 72 

Knowledge of middleware (e.g., enterprise service bus and message queuing). 

KOI 73 

Withdrawn - Integrated into K0499 

KOI 74 

Knowledge of networking protocols. 

KOI 75 

Knowledge of software reverse engineering techniques. 

KOI 76 

Knowledge of Extensible Markup Language (XML) schemas. 

KOI 77 

Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining 
access, escalation or privileges, maintaining access, network exploitation, covering tracks). 

KOI 78 

Knowledge of secure software deployment methodologies, tools, and practices. 

KOI 79 

Knowledge of network security architecture concepts including topology, protocols, 
components, and principles (e.g., application of defense-in-depth). 

KOI 80 

Knowledge of network systems management principles, models, methods (e.g., end-to-end 
systems performance monitoring), and tools. 

KOI 81 

Knowledge of transmission records (e.g., Bluetooth, Radio Frequency Identification [RFID], 
Infrared Networking [IR], Wireless Fidelity [Wi-Fi], paging, cellular, satellite dishes), and 
jamming techniques that enable transmission of undesirable information, or prevent installed 
systems from operating correctly. 

KOI 82 

Knowledge of data carving tools and techniques (e.g., Foremost). 

KOI 83 

Knowledge of reverse engineering concepts. 

KOI 84 

Knowledge of anti-forensics tactics, techniques, and procedures. 

KOI 85 

Knowledge of common forensics tool configuration and support applications (e.g., VMWare, 
WIRESHARK). 

KOI 86 

Knowledge of debugging procedures and tools. 

KOI 87 

Knowledge of how different file types can be used for anomalous behavior. 

KOI 88 

Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro). 

KOI 89 

Knowledge of virtual machine aware malware, debugger aware malware, and packing. 

KOI 90 

Knowledge of encryption methodologies. 

K0191 

Knowledge of signature implementation impact. 

KOI 92 

Knowledge of Windows/Unix ports and services. 
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KOI 93 

Knowledge of advanced data remediation security features in databases. 

KOI 94 

Knowledge of Cloud-based knowledge management technologies and concepts related to 
security, governance, procurement, and administration. 

KOI 95 

Knowledge of data classification standards and methodologies based on sensitivity and other 
risk factors. 

KOI 96 

Knowledge of Import/Export Regulations related to cryptography and other security 
technologies. 

KOI 97 

Knowledge of Java-based database access application programming interface (API) (e.g., 

Java Database Connectivity [JDBC]). 

KOI 98 

Knowledge of organizational process improvement concepts and process maturity models 
(e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, 
and CMMI for Acquisitions). 

KOI 99 

Knowledge of security architecture concepts and enterprise architecture reference models 
(e.g., Zachman, Federal Enterprise Architecture [FEA]). 

K0200 

Knowledge of service management concepts for networks and related standards (e.g., 
Information Technology Infrastructure Library, current version [ITIL]). 

K0201 

Knowledge of symmetric key rotation techniques and concepts. 

K0202 

Knowledge of the application firewall concepts and functions (e.g., Single point of 
authentication/audit/policy enforcement, message scanning for malicious content, data 
anonymization for PCI and PII compliance, data loss protection scanning, accelerated 
cryptographic operations, SSL security, REST/JSON processing). 

K0203 

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark- 
Wilson integrity model). 

K0204 

Knowledge of assessment techniques (rubrics, evaluation plans, tests, quizzes). 

K0205 

Knowledge of basic system, network, and OS hardening techniques. 

K0206 

Knowledge of ethical hacking principles and techniques. 

K0207 

Knowledge of circuit analysis. 

K0208 

Knowledge of computer based training and e-leaming services. 

K0209 

Knowledge of covert communication techniques. 

K0210 

Knowledge of data backup and restoration concepts. 

K0211 

Knowledge of confidentiality, integrity, and availability requirements. 

K0212 

Knowledge of cybersecurity-enabled software products. 

K0213 

Knowledge of instructional design and evaluation models (e.g., ADDIE, Smith/Ragan model, 
Gagne’s Events of Instruction, Kirkpatrick’s model of evaluation). 

K0214 

Knowledge of the Risk Management Framework Assessment Methodology. 

K0215 

Knowledge of organizational training policies. 

K0216 

Knowledge of learning levels (i.e., Bloom’s Taxonomy of learning). 

K0217 

Knowledge of Learning Management Systems and their use in managing learning. 

K0218 

Knowledge of learning styles (e.g., assimilator, auditory, kinesthetic). 

K0219 

Knowledge of local area network (LAN) and wide area network (WAN) principles. 

K0220 

Knowledge of modes of learning (e.g., rote learning, observation). 

K0221 

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP). 

K0222 

Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber 
defense activities. 

K0223 

Withdrawn - integrated into K0073 

K0224 

Knowledge of system administration concepts for Unix/Linux and/or Windows operating 
systems. 

K0225 

Knowledge of the common networking protocol and services deployed at CC/S/A. 
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K0226 

Knowledge of organizational training systems. 

K0227 

Knowledge of various types of computer architectures. 

K0228 

Knowledge of taxonomy and semantic ontology theory. 

K0229 

Knowledge of applications that can log errors, exceptions, and application faults and logging. 

K0230 

Knowledge of cloud service models and possible limitations for an incident response. 

K0231 

Knowledge of crisis management protocols, processes, and techniques. 

K0232 

Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE). 

K0233 

Knowledge of the National Cybersecurity Workforce Framework, work roles, and associated 
tasks, knowledge, skills, and abilities. 

K0234 

Knowledge of full spectrum cyber capabilities. 

K0235 

Knowledge of how to leverage government research and development centers, think tanks, 
academic research, and industry systems. 

K0236 

Knowledge of how to utilize Hadoop, Java, Python, SQL, Hive, and PIG to explore data. 

K0237 

Knowledge of industry best practices for service desk. 

K0238 

Knowledge of machine learning theory and principles. 

K0239 

Knowledge of media production, communication, and dissemination techniques and methods, 
including alternative ways to inform via written, oral, and visual media. 

K0240 

Knowledge of multi-level/security cross domain solutions. 

K0241 

Knowledge of organizational human resource policies, processes, and procedures. 

K0242 

Knowledge of organizational security policies. 

K0243 

Knowledge of organizational training and education policies, processes, and procedures. 

K0244 

Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal 
activity. 

K0245 

Knowledge of principles and processes for conducting training and education needs 
assessment. 

K0246 

Knowledge of relevant concepts, procedures, software, equipment, and technology 
applications. 

K0247 

Knowledge of remote access processes, tools, and capabilities related to customer support. 

K0248 

Knowledge of strategic theory and practice. 

K0249 

Knowledge of sustainment technologies, processes and strategies. 

K0250 

Knowledge of Test & Evaluation processes. 

K0251 

Knowledge of the judicial process, including the presentation of facts and evidence. 

K0252 

Knowledge of training and education principles and methods for curriculum design, teaching 
and instruction for individuals and groups, and the measurement of training and education 
effects. 

K0253 

Withdrawn - Integrated into K0227 

K0254 

Knowledge of binary analysis. 

K0255 

Knowledge of network architecture concepts including topology, protocols, and components. 

K0256 

Withdrawn - Integrated into K0224 

K0257 

Knowledge of information technology (IT) acquisition/procurement requirements. 

K0258 

Knowledge of test procedures, principles, and methodologies (e.g., Capabilities and Maturity 
Model Integration (CMMI)). 

K0259 

Knowledge of malware analysis concepts and methodologies. 

K0260 

Knowledge of Personally Identifiable Information (PII) data security standards. 

K0261 

Knowledge of Payment Card Industry (PCI) data security standards. 

K0262 

Knowledge of Personal Health Information (PHI) data security standards. 

K0263 

Knowledge of information technology (IT) risk management policies, requirements, and 
procedures. 
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K0264 

Knowledge of program protection planning to include information technology (IT) supply 
chain security/risk management policies, anti-tampering techniques, and requirements. 

K0265 

Knowledge of infrastructure supporting information technology (IT) for safety, performance, 
and reliability. 

K0266 

Knowledge of how to evaluate the trustworthiness of the supplier and/or product. 

K0267 

Knowledge of relevant laws, policies, procedures, or governance related to critical 
infrastructure. 

K0268 

Knowledge of forensic footprint identification. 

K0269 

Knowledge of mobile communications architecture. 

K0270 

Knowledge of the acquisition/procurement life cycle process. 

K0271 

Knowledge of operating system structures and internals (e.g., process management, directory 
structure, installed applications). 

K0272 

Knowledge of network analysis tools used to identify software communications 
vulnerabilities. 

K0273 

Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining 
access, escalation of privileges, maintaining access, network exploitation, covering tracks). 

K0274 

Knowledge of transmission records (e.g., Bluetooth, Radio Frequency Identification (RFID), 
Infrared Networking (IR), Wireless Fidelity (Wi-Fi), paging, cellular, satellite dishes, Voice 
over Internet Protocol (VoIP)), and jamming techniques that enable transmission of 
undesirable information, or prevent installed systems from operating correctly. 

K0275 

Knowledge of configuration management techniques. 

K0276 

Knowledge of security management. 

K0277 

Knowledge of current and emerging data encryption (e.g., Column and Tablespace 

Encryption, file and disk encryption) security features in databases, including built-in 
cryptographic key management features. 

K0278 

Knowledge of current and emerging data remediation security features in databases. 

K0279 

Knowledge of database access application programming interfaces (APIs) (e.g., Java 

Database Connectivity [JDBC]). 

K0280 

Knowledge of systems engineering theories, concepts, and methods. 

K0281 

Knowledge of information technology (IT) service catalogues. 

K0282 

Withdrawn - Integrated into K0200 

K0283 

Knowledge of use cases related to collaboration and content synchronization across platforms 
(e.g., Mobile, PC, Cloud). 

K0284 

Knowledge of developing and applying user credential management system. 

K0285 

Knowledge of implementing enterprise key escrow systems to support data-at-rest 
encryption. 

K0286 

Knowledge of N-tiered typologies including server and client operating systems. 

K0287 

Knowledge of an organization's information classification program and procedures for 
information compromise. 

K0288 

Knowledge of industry standard security models. 

K0289 

Knowledge of system/server diagnostic tools and fault identification techniques. 

K0290 

Knowledge of systems security testing and evaluation methods. 

K0291 

Knowledge of the enterprise information technology (IT) architectural concepts and patterns 
to include baseline and target architectures. 

K0292 

Knowledge of the operations and processes for incident, problem, and event management. 

K0293 

Knowledge of integrating the organization’s goals and objectives into the architecture. 

K0294 

Knowledge of IT system operation, maintenance, and security needed to keep equipment 
functioning properly. 
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K0295 

Knowledge of confidentiality, integrity, and availability principles. 

K0296 

Knowledge of capabilities, applications, and potential vulnerabilities of network equipment 
including hubs, routers, switches, bridges, servers, transmission media, and related hardware. 

K0297 

Knowledge of countermeasure design for identified security risks. 

K0298 

Knowledge of countermeasures for identified security risks. 

K0299 

Knowledge in determining how a security system should work (including its resilience and 
dependability capabilities) and how changes in conditions, operations, or the environment 
will affect these outcomes. 

K0300 

Knowledge of network mapping and recreating network topologies. 

K0301 

Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). 

K0302 

Knowledge of the basic operation of computers. 

K0303 

Knowledge of the use of sub-netting tools. 

K0304 

Knowledge of basic concepts and practices of processing digital forensic data. 

K0305 

Knowledge of encryption algorithms, stenography, and other forms of data concealment. 

K0306 

Knowledge of basic physical computer components and architectures 

K0307 

Knowledge of common network tools (e.g., ping, traceroute, nslookup). 

K0308 

Knowledge of cryptology. 

K0309 

Knowledge of emerging technologies that have potential for exploitation by adversaries. 

K0310 

Knowledge of hacking methodologies. 

K0311 

Knowledge of industry indicators useful for identifying technology trends. 

K0312 

Knowledge of intelligence principles, policies, and procedures including legal authorities and 
restrictions. 

K0313 

Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber 
curriculum/training and Research & Development). 

K0314 

Knowledge of industry technologies and how differences affect exploitation/vulnerabilities. 

K0315 

Knowledge of the principal methods, procedures, and techniques of gathering information 
and producing, reporting, and sharing information. 

K0316 

Knowledge of business or military operation plans, concept operation plans, orders, policies, 
and standing rules of engagement. 

K0317 

Knowledge of procedures used for documenting and querying reported incidents, problems, 
and events. 

K0318 

Knowledge of operating system command line/prompt. 

K0319 

Knowledge of technical delivery capabilities and their limitations. 

K0320 

Knowledge of organization's evaluation and validation criteria. 

K0321 

Knowledge of engineering concepts as applied to computer architecture and associated 
computer hardware/software. 

K0322 

Knowledge of embedded systems. 

K0323 

Knowledge of system fault tolerance methodologies. 

K0324 

Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and 
applications. 

K0325 

Knowledge of Information Theory (e.g., source coding, channel coding, algorithm 
complexity theory, and data compression). 

K0326 

Knowledge of cybersecurity methods, such as firewalls, demilitarized zones, and encryption. 

K0327 

Knowledge of local area network (LAN), wide area network (WAN) and enterprise 
principles and concepts, including bandwidth management. 

K0328 

Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, 
statistics, and operational analysis. 

K0329 

Knowledge of statistics. 
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K0330 

Knowledge of successful capabilities to identify the solutions to less common and more 
complex system problems. 

K0331 

Knowledge of network protocols (e.g., Transmission Critical Protocol (TCP), Internet 

Protocol (IP), Dynamic Host Configuration Protocol (DHCP)), and directory services (e.g., 
Domain Name System (DNS)). 

K0332 

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain 

Name System (DNS), and directory services. 

K0333 

Knowledge of network design processes, to include understanding of security objectives, 
operational objectives, and tradeoffs. 

K0334 

Knowledge of network traffic analysis (tools, methodologies, processes). 

K0335 

Knowledge of current and emerging cyber technologies. 

K0336 

Knowledge of access authentication methods. 

K0337 

Withdrawn - Integrated into K0007 

K0338 

Knowledge of data mining techniques. 

K0339 

Knowledge of how to use network analysis tools to identify vulnerabilities. 

K0340 

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol 
(TCP), Internet Protocol (IP), Open System Interconnection Model (OSI)). 

K0341 

Knowledge of foreign disclosure policies and import/export control regulations as related to 
cybersecurity. 

K0342 

Knowledge of penetration testing principles, tools, and techniques. 

K0343 

Knowledge of root cause analysis techniques. 

K0344 

Knowledge of threat environments. 

K0345 

Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, 
and nation sponsored). 

K0346 

Knowledge of principles and methods for integrating system components. 

K0347 

Knowledge and understanding of operational design 

K0348 

Knowledge of a wide range of basic communications media concepts and terminology (e.g., 
computer and telephone networks, satellite, cable, wireless). 

K0349 

Knowledge of a wide range of concepts associated with websites (e.g., website types, 
administration, functions, software systems, etc.). 

K0350 

Knowledge of accepted organization planning systems. 

K0351 

Knowledge of all applicable statutes, laws, regulations and policies governing cyber targeting 
and exploitation. 

K0352 

Knowledge of all forms of intelligence support needs, topics, and focus areas. 

K0353 

Knowledge of all possible circumstances that would result in changing collection 
management authorities. 

K0354 

Knowledge of all relevant reporting and dissemination procedures. 

K0355 

Knowledge of all-source reporting and dissemination procedures. 

K0356 

Knowledge of analytic tools and techniques. 

K0357 

Knowledge of analytical constructs and their use in assessing the operational environment. 

K0358 

Knowledge of analytical standards and the purpose of intelligence confidence levels. 

K0359 

Knowledge of approved intelligence dissemination processes. 

K0360 

Knowledge of assembly code. 

K0361 

Knowledge of asset availability, capabilities and limitations. 

K0362 

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.). 

K0363 

Knowledge of auditing and logging procedures (including server-based logging). 

K0364 

Knowledge of available databases and tools necessary to assess appropriate collection 
tasking. 
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K0365 

Knowledge of basic back-up and recovery procedures including different types of backups 
(e.g., full, incremental). 

K0366 

Knowledge of basic computer components and architectures, including the functions of 
various peripherals. 

K0367 

Knowledge of basic cyber operations activity concepts (e.g., foot printing, scanning and 
enumeration, penetration testing, white/black listing). 

K0368 

Knowledge of basic implants. 

K0369 

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and 
enumeration). 

K0370 

Knowledge of basic physical computer components and architecture, including the functions 
of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). 

K0371 

Knowledge of basic principles of the collection development processes (e.g., Dialed Number 
Recognition, Social Network Analysis). 

K0372 

Knowledge of basic programming concepts (e.g., levels, structures, compiled vs. interpreted 
languages). 

K0373 

Knowledge of basic software applications (e.g., data storage and backup, database 
applications) and their vulnerabilities. 

K0374 

Knowledge of basic structure, architecture, and design of modem digital and telephony 
networks. 

K0375 

Knowledge of basic wireless applications, including vulnerabilities in various types of 
wireless applications. 

K0376 

Knowledge of both internal and external customers and partner organizations, including 
information needs, objectives, structure, capabilities, etc. 

K0377 

Knowledge of classification and control markings standards, policies and procedures. 

K0378 

Knowledge of classification and control markings standards. 

K0379 

Knowledge of client organizations, including information needs, objectives, structure, 
capabilities, etc. 

K0380 

Knowledge of collaborative tools and environments. 

K0381 

Knowledge of collateral damage and estimating impact(s). 

K0382 

Knowledge of collection capabilities and limitations. 

K0383 

Knowledge of collection capabilities, accesses, performance specifications, and constraints 
utilized to satisfy collection plan. 

K0384 

Knowledge of collection management functionality (e.g., positions, functions, 
responsibilities, products, reporting requirements). 

K0385 

Withdrawn - Integrated into KOI42 

K0386 

Knowledge of collection management tools. 

K0387 

Knowledge of collection planning process and collection plan. 

K0388 

Knowledge of collection searching/analyzing techniques and tools for chat/buddy list, 
emerging technologies, VOIP, Media Over IP, VPN, VSAT/wireless, web mail and cookies. 

K0389 

Knowledge of collection sources including conventional and non-conventional sources. 

K0390 

Knowledge of collection strategies. 

K0391 

Knowledge of collection systems, capabilities, and processes. 

K0392 

Knowledge of common computer/network infections (vims, Trojan, etc.) and methods of 
infection (ports, attachments, etc.). 

K0393 

Knowledge of common networking devices and their configurations. 

K0394 

Knowledge of common reporting databases and tools. 

K0395 

Knowledge of computer networking fundamentals (i.e., basic computer components of a 
network, types of networks, etc.) 
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K0396 

Knowledge of computer programming concepts, including computer languages, 
programming, testing, debugging, and file types. 

K0397 

Knowledge of concepts for operating systems (e.g., Linux, Unix.) 

K0398 

Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, 
registration, web languages such as HTML). 

K0399 

Knowledge of crisis action planning and time sensitive planning procedures. 

K0400 

Knowledge of crisis action planning for cyber operations. 

K0401 

Knowledge of criteria for evaluating collection products. 

K0402 

Knowledge of criticality and vulnerability factors (e.g., value, recuperation, cushion, 
countermeasures) for target selection and applicability to the cyber domain. 

K0403 

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations. 

K0404 

Knowledge of current collection requirements. 

K0405 

Knowledge of current computer-based intrusion sets. 

K0406 

Knowledge of current software and methodologies for active defense and system hardening. 

K0407 

Knowledge of customer information needs. 

K0408 

Knowledge of cyber actions (i.e. cyber defense, information gathering, environment 
preparation, cyber attack) principles, capabilities, limitations, and effects. 

K0409 

Knowledge of cyber intelligence/information collection capabilities and repositories. 

K0410 

Knowledge of cyber laws and their effect on Cyber planning. 

K0411 

Knowledge of cyber laws, legal considerations and their effect on cyber planning. 

K0412 

Knowledge of cyber lexicon/terminology 

K0413 

Knowledge of cyber operation objectives, policies, and legalities. 

K0414 

Knowledge of cyber operations support or enabling processes. 

K0415 

Knowledge of cyber operations terminology/lexicon. 

K0416 

Knowledge of cyber operations. 

K0417 

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, 
encryption, optical devices, removable media). 

K0418 

Knowledge of data flow process for terminal or environment collection. 

K0419 

Knowledge of database administration and maintenance. 

K0420 

Knowledge of database theory. 

K0421 

Knowledge of databases, portals and associated dissemination vehicles. 

K0422 

Knowledge of deconfliction processes and procedures. 

K0423 

Knowledge of deconfliction reporting to include external organization interaction. 

K0424 

Knowledge of denial and deception techniques. 

K0425 

Knowledge of different organization objectives at all levels, including subordinate, lateral 
and higher. 

K0426 

Knowledge of dynamic and deliberate targeting. 

K0427 

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP). 

K0428 

Knowledge of encryption algorithms and tools for WLANs. 

K0429 

Knowledge of enterprise-wide information management. 

K0430 

Knowledge of evasion strategies and techniques. 

K0431 

Knowledge of evolving/emerging communications technologies. 

K0432 

Knowledge of existing, emerging, and long-range issues related to cyber operations strategy, 
policy, and organization. 

K0433 

Knowledge of forensic implications of operating system structure and operations. 

K0434 

Knowledge of front-end collection systems, including traffic collection, filtering, and 
selection. 

K0435 

Knowledge of fundamental cyber concepts, principles, limitations, and effects. 


75 





NIST SP 800-181 (Draft) 


NICE Cybersecurity Workforce Framework (NCWF) 


ID 

Description 

K0436 

Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment 
preparation, cyber attack, cyber defense), principles, capabilities, limitations, and effects. 

K0437 

Knowledge of general SCADA system components. 

K0438 

Knowledge of Global Systems for Mobile Communications (GSM) architecture. 

K0439 

Knowledge of governing authorities for targeting. 

K0440 

Knowledge of host-based security products and how they affect exploitation and 
vulnerability. 

K0441 

Knowledge of how collection requirements and information needs are translated, tracked, and 
prioritized across the extended enterprise. 

K0442 

Knowledge of how converged technologies impact cyber operations (e.g., digital, telephony, 
wireless). 

K0443 

Knowledge of how hubs, switches, routers work together in the design of a network. 

K0444 

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, 
VOIP). 

K0445 

Knowledge of how modem digital and telephony networks impact cyber operations. 

K0446 

Knowledge of how modem wireless communications systems impact cyber operations. 

K0447 

Knowledge of how to collect, view, and identify essential information on targets of interest 
from metadata (e.g., email, http). 

K0448 

Knowledge of how to establish priorities for resources. 

K0449 

Knowledge of how to extract, analyze, and use metadata. 

K0450 

Withdrawn - Integrated into K0036 

K0451 

Knowledge of identification and reporting processes. 

K0452 

Knowledge of implementing Unix and Windows systems that provide radius authentication 
and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP. 

K0453 

Knowledge of indications and warning. 

K0454 

Knowledge of information needs. 

K0455 

Knowledge of information security concepts, facilitating technologies and methods. 

K0456 

Knowledge of intelligence capabilities and limitations. 

K0457 

Knowledge of intelligence confidence levels. 

K0458 

Knowledge of intelligence disciplines. 

K0459 

Knowledge of intelligence employment requirements (i.e., logistical, communications 
support, maneuverability, legal restrictions, etc.). 

K0460 

Knowledge of intelligence preparation of the environment and similar processes. 

K0461 

Knowledge of intelligence production processes. 

K0462 

Knowledge of intelligence reporting principles, policies, procedures, and vehicles, including 
report formats, reportability criteria (requirements and priorities), dissemination practices, 
and legal authorities and restrictions. 

K0463 

Knowledge of intelligence requirements tasking systems. 

K0464 

Knowledge of intelligence support to planning, execution, and assessment. 

K0465 

Knowledge of internal and external partner cyber operations capabilities and tools. 

K0466 

Knowledge of internal and external partner intelligence processes and the development of 
information requirements and essential information. 

K0467 

Knowledge of internal and external partner organization capabilities and limitations (those 
with tasking, collection, processing, exploitation and dissemination responsibilities). 

K0468 

Knowledge of internal and external partner reporting. 

K0469 

Knowledge of internal tactics to anticipate and/or emulate threat capabilities and actions. 

K0470 

Knowledge of Internet and routing protocols. 
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K0471 

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, 
TCP/UDP port numbering). 

K0472 

Knowledge of intrusion detection systems and signature development. 

K0473 

Knowledge of intrusion sets. 

K0474 

Knowledge of key cyber threat actors and their equities. 

K0475 

Knowledge of key factors of the operational environment and threat. 

K0476 

Knowledge of language processing tools and techniques. 

K0477 

Knowledge of leadership's Intent and objectives. 

K0478 

Knowledge of legal considerations in targeting. 

K0479 

Knowledge of malware analysis and characteristics. 

K0480 

Knowledge of malware. 

K0481 

Knowledge of methods and techniques used to detect various exploitation activities 

K0482 

Knowledge of methods for ascertaining collection asset posture and availability. 

K0483 

Knowledge of methods to integrate and summarize information from any potential sources. 

K0484 

Knowledge of midpoint collection (process, objectives, organization, targets, etc.). 

K0485 

Knowledge of network administration. 

K0486 

Knowledge of network construction and topology. 

K0487 

Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, 
perimeter protection). 

K0488 

Knowledge of network security implementations (e.g., host-based IDS, IPS, access control 
lists), including their function and placement in a network. 

K0489 

Knowledge of network topology. 

K0490 

Withdrawn - Integrated into K0058 

K0491 

Knowledge of networking and internet communications fundamentals (i.e. devices, device 
configuration, hardware, software, applications, ports/protocols, addressing, network 
architecture and infrastructure, routing, operating systems, etc.). 

K0492 

Knowledge of non-traditional collection methodologies. 

K0493 

Knowledge of obfuscation techniques (e.g., TOR/Onion/anonymizers, VPN/VPS, 
encryption). 

K0494 

Knowledge of objectives, situation, operational environment, and the status and disposition 
of internal and external partner collection capabilities available to support planning. 

K0495 

Knowledge of ongoing and future operations. 

K0496 

Knowledge of operational asset constraints. 

K0497 

Knowledge of operational effectiveness assessment. 

K0498 

Knowledge of operational planning processes. 

K0499 

Knowledge of operations security. 

K0500 

Knowledge of organization and/or partner collection systems, capabilities, and processes 
(e.g., collection and protocol processors). 

K0501 

Knowledge of organization cyber operations programs, strategies, and resources. 

K0502 

Knowledge of organization decision support tools and/or methods. 

K0503 

Knowledge of organization formats of resource and asset readiness reporting, its operational 
relevance and intelligence collection impact. 

K0504 

Knowledge of organization issues, objectives, and operations in cyber as well as regulations 
and policy directives governing cyber operations. 

K0505 

Knowledge of organization objectives and associated demand on collection management. 

K0506 

Knowledge of organization objectives, leadership priorities, and decision-making risks. 

K0507 

Knowledge of organization or partner exploitation of digital networks. 
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K0508 

Knowledge of organization policies and planning concepts for partnering with internal and/or 
external organizations. 

K0509 

Knowledge of organizational and partner authorities, responsibilities, and contributions to 
achieving objectives. 

K0510 

Knowledge of organizational and partner policies, tools, capabilities, and procedures. 

K0511 

Knowledge of organizational hierarchy and cyber decision making processes. 

K0512 

Knowledge of organizational planning concepts. 

K0513 

Knowledge of organizational priorities, legal authorities and requirements submission 
processes. 

K0514 

Knowledge of organizational structures and associated intelligence capabilities. 

K0515 

Knowledge of OSI model and underlying networking protocols (e.g., TCP/IP). 

K0516 

Knowledge of physical and logical network devices and infrastructure to include hubs, 
switches, routers, firewalls, etc. 

K0517 

Knowledge of PIR approval process. 

K0518 

Knowledge of planning activity initiation. 

K0519 

Knowledge of planning timelines adaptive, crisis action, and time-sensitive planning. 

K0520 

Knowledge of principles and practices related to target development such as target 
knowledge, associations, communication systems, and infrastructure. 

K0521 

Knowledge of priority information, how it is derived, where it is published, how to access, 
etc. 

K0522 

Knowledge of production exploitation and dissemination needs and architectures. 

K0523 

Knowledge of products and nomenclature of major vendors (e.g., security suites - Trend 

Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and how differences affect 
exploitation/vulnerabilities. 

K0524 

Knowledge of relevant laws, regulations, policies. 

K0525 

Knowledge of required intelligence planning products associated with cyber operational 
planning. 

K0526 

Knowledge of research strategies and knowledge management. 

K0527 

Knowledge of risk management and mitigation strategies. 

K0528 

Knowledge of satellite-based communication systems. 

K0529 

Knowledge of scripting 

K0530 

Knowledge of security hardware and software options, including the network artifacts they 
induce and their effects on exploitation. 

K0531 

Knowledge of security implications of software configurations. 

K0532 

Knowledge of specialized target language (e.g., acronyms, jargon, technical terminology, 
codewords). 

K0533 

Knowledge of specific target identifiers, and their usage. 

K0534 

Knowledge of staff management, assignment, and allocation processes. 

K0535 

Knowledge of strategies and tools for target research. 

K0536 

Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, 
keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, 
conducting vulnerability analysis of other systems in the network). 

K0537 

Knowledge of system administration concepts for the Unix/Linux and Windows operating 
systems (e.g., process management, directory structure, installed applications, Access 

Controls). 

K0538 

Knowledge of target and threat organization structures, critical capabilities, and critical 
vulnerabilities 
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K0539 

Knowledge of target communication profiles and their key elements (e.g., target associations, 
activities, communication infrastructure). 

K0540 

Knowledge of target communication tools and techniques. 

K0541 

Knowledge of target cultural references, dialects, expressions, idioms, and abbreviations. 

K0542 

Knowledge of target development (i.e., concepts, roles, responsibilities, products, etc.). 

K0543 

Knowledge of target estimated repair and recuperation times. 

K0544 

Knowledge of target intelligence gathering and operational preparation techniques and life 
cycles. 

K0545 

Knowledge of target language(s). 

K0546 

Knowledge of target list development (i.e. RTL, JTL, CTL, etc.). 

K0547 

Knowledge of target methods and procedures. 

K0548 

Knowledge of target or threat cyber actors and procedures. 

K0549 

Knowledge of target vetting and validation procedures. 

K0550 

Knowledge of target, including related current events, communication profile, actors, and 
history (language, culture) and/or frame of reference. 

K0551 

Knowledge of targeting cycles. 

K0552 

Knowledge of tasking mechanisms. 

K0553 

Knowledge of tasking processes for organic and subordinate collection assets. 

K0554 

Knowledge of tasking, collection, processing, exploitation and dissemination. 

K0555 

Knowledge of TCP/IP networking protocols. 

K0556 

Knowledge of telecommunications fundamentals. 

K0557 

Knowledge of terminal or environmental collection (process, objectives, organization, 
targets, etc.). 

K0558 

Knowledge of the available tools and applications associated with collection requirements 
and collection management. 

K0559 

Knowledge of the basic structure, architecture, and design of converged applications. 

K0560 

Knowledge of the basic structure, architecture, and design of modem communication 
networks. 

K0561 

Knowledge of the basics of network security (e.g., encryption, firewalls, authentication, 
honey pots, perimeter protection). 

K0562 

Knowledge of the capabilities and limitations of new and emerging collection capabilities, 
accesses and/or processes. 

K0563 

Knowledge of the capabilities, limitations and tasking methodologies of internal and external 
collections as they apply to planned cyber activities. 

K0564 

Knowledge of the characteristics of targeted communication networks (e.g., capacity, 
functionality, paths, critical nodes). 

K0565 

Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., 
web, mail, DNS), and how they interact to provide network communications. 

K0566 

Knowledge of the critical information requirements and how they're used in planning. 

K0567 

Knowledge of the data flow from collection origin to repositories and tools. 

K0568 

Knowledge of the definition of collection management and collection management authority. 

K0569 

Knowledge of the existent tasking, collection, processing, exploitation and dissemination 
architecture. 

K0570 

Knowledge of the factors of threat that could impact collection operations. 

K0571 

Knowledge of the feedback cycle in collection processes. 

K0572 

Knowledge of the functions and capabilities of internal teams that emulate threat activities to 
benefit the organization. 

K0573 

Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence. 
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K0574 

Knowledge of the impact of language analysis on on-net operator functions. 

K0575 

Knowledge of the impacts of internal and external partner staffing estimates. 

K0576 

Knowledge of the information environment. 

K0577 

Knowledge of the intelligence frameworks, processes, and related systems. 

K0578 

Knowledge of the intelligence requirements development and request for information 
processes. 

K0579 

Knowledge of the organization, roles and responsibilities of higher, lower and adjacent sub¬ 
elements. 

K0580 

Knowledge of the organization’s established format for collection plan. 

K0581 

Knowledge of the organization’s planning, operations and targeting cycles. 

K0582 

Knowledge of the organizational planning and staffing process. 

K0583 

Knowledge of the organizational plans/directives/guidance that describe objectives. 

K0584 

Knowledge of the organizational policies/procedures for temporary transfer of collection 
authority. 

K0585 

Knowledge of the organizational structure as it pertains to full spectrum cyber operations, 
including the functions, responsibilities, and interrelationships among distinct internal 
elements. 

K0586 

Knowledge of the outputs of course of action and exercise analysis. 

K0587 

Knowledge of the POC’s, databases, tools and applications necessary to establish 
environment preparation and surveillance products. 

K0588 

Knowledge of the priority information requirements from subordinate, lateral and higher 
levels of the organization. 

K0589 

Knowledge of the process used to assess the performance and impact of operations. 

K0590 

Knowledge of the processes to synchronize operational assessment procedures with the 
critical information requirement process. 

K0591 

Knowledge of the production responsibilities and organic analysis and production 
capabilities. 

K0592 

Knowledge of the purpose and contribution of target templates. 

K0593 

Knowledge of the range of cyber operations and their underlying intelligence support needs, 
topics, and focus areas. 

K0594 

Knowledge of the relationships between end states, objectives, effects, lines of operation, etc. 

K0595 

Knowledge of the relationships of operational objectives, intelligence requirements, and 
intelligence production tasks. 

K0596 

Knowledge of the request for information process. 

K0597 

Knowledge of the role of network operations in supporting and facilitating other organization 
operations. 

K0598 

Knowledge of the structure and intent of organization specific plans, guidance and 
authorizations. 

K0599 

Knowledge of the structure, architecture, and design of modem digital and telephony 
networks. 

K0600 

Knowledge of the structure, architecture, and design of modem wireless communications 
systems. 

K0601 

Knowledge of the systems/architecture/communications used for coordination. 

K0602 

Knowledge of the various collection disciplines and capabilities. 

K0603 

Knowledge of the ways in which targets or threats use the Internet. 

K0604 

Knowledge of threat and/or target systems. 

K0605 

Knowledge of tipping, cueing, mixing, and redundancy. 
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K0606 

Knowledge of transcript development processes and techniques (e.g., verbatim, gists, 
summaries). 

K0607 

Knowledge of translation processes and techniques. 

K0608 

Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., 
process management, directory structure, installed applications). 

K0609 

Knowledge of virtual machine technologies. 

K0610 

Knowledge of virtualization products (VMware, Virtual PC). 

K0611 

Withdrawn - Integrated into K0131 

K0612 

Knowledge of what constitutes a “threat” to a network. 

K0613 

Knowledge of who the organization’s operational planners are, how and where they can be 
contacted, and what are their expectations. 

K0614 

Knowledge of wireless technologies (e.g., cellular, satellite, GSM) to include the basic 
structure, architecture, and design of modem wireless communications systems. 


844 
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845 A.6 NCWF Skills Descriptions 

846 Table 7 provides a listing of specific skills that might be demonstrated by a person in a given 

847 cybersecurity position. Selected skills descriptions from this list are included in the Detailed 

848 Work Role Listing in Appendix B. Because the list of skills has evolved over many years and is 

849 expected to continue to do so, it is not sorted in a particular order and will simply continue to 

850 grow sequentially. 

851 Table 7 - NCWF Skills Descriptions 


ID 

Description 

S0001 

Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems. 

S0002 

Skill in allocating storage capacity in the design of data management systems. 

S0003 

Skill of identifying, capturing, containing, and reporting malware. 

S0004 

Skill in analyzing network traffic capacity and performance characteristics. 

S0005 

Skill in applying and incorporating information technologies into proposed solutions. 

S0006 

Skill in applying confidentiality, integrity, and availability principles. 

S0007 

Skill in applying host/network access controls (e.g., access control list). 

S0008 

Skill in applying organization-specific systems analysis principles and techniques. 

S0009 

Skill in assessing the robustness of security systems and designs. 

S0010 

Skill in conducting capabilities and requirements analysis. 

soon 

Skill in conducting information searches. 

soon 

Skill in conducting knowledge mapping (e.g., map of knowledge repositories). 

S0013 

Skill in conducting queries and developing algorithms to analyze data structures. 

S0014 

Skill in conducting software debugging. 

S0015 

Skill in conducting test events. 

S0016 

Skill in configuring and optimizing software. 

S0017 

Skill in creating and utilizing mathematical or statistical models. 

S0018 

Skill in creating policies that reflect system security objectives. 

S0019 

Skill in creating programs that validate and process multiple inputs including command line 
arguments, environmental variables, and input streams. 

S0020 

Skill in developing and deploying signatures. 

S0021 

Skill in designing a data analysis structure (i.e., the types of data your test must generate and 
how to analyze those data). 

S0022 

Skill in designing countermeasures to identified security risks. 

S0023 

Skill in designing security controls based on cybersecurity principles and tenets. 

S0024 

Skill in designing the integration of hardware and software solutions. 

S0025 

Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., 
Snort). 

S0026 

Skill in determining an appropriate level of test rigor for a given system. 

S0027 

Skill in determining how a security system should work (including its resilience and 
dependability capabilities) and how changes in conditions, operations, or the environment 
will affect these outcomes. 

S0028 

Skill in developing data dictionaries. 

S0029 

Skill in developing data models. 

S0030 

Skill in developing operations-based testing scenarios. 

S0031 

Skill in developing and applying security system access controls. 

S0032 

Skill in developing, testing, and implementing network infrastructure contingency and 
recovery plans. 

S0033 

Skill in diagnosing connectivity problems. 
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S0034 

Skill in discerning the protection needs (i.e., security controls) of information systems and 
networks. 

S0035 

Skill in establishing a routing schema. 

S0036 

Skill in evaluating the adequacy of security designs. 

S0037 

Skill in generating queries and reports. 

S0038 

Skill in identifying measures or indicators of system performance and the actions needed to 
improve or correct performance, relative to the goals of the system. 

S0039 

Skill in identifying possible causes of degradation of system performance or availability and 
initiating actions needed to mitigate this degradation. 

S0040 

Skill in implementing, maintaining, and improving established network security practices. 

S0041 

Skill in installing, configuring, and troubleshooting LAN and WAN components such as 
routers, hubs, and switches. 

S0042 

Skill in maintaining databases. 

S0043 

Skill in maintaining directory services. 

S0044 

Skill in mimicking threat behaviors. 

S0045 

Skill in optimizing database performance. 

S0046 

Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). 

S0047 

Skill in preserving evidence integrity according to standard operating procedures or national 
standards. 

S0048 

Skill in systems integration testing. 

S0049 

Skill in the measuring and reporting of intellectual capital. 

S0050 

Skill in design modeling and building use cases (e.g., unified modeling language). 

S0051 

Skill in the use of penetration testing tools and techniques. 

S0052 

Skill in the use of social engineering techniques. 

S0053 

Skill in tuning sensors. 

S0054 

Skill in using incident handling methodologies. 

S0055 

Skill in using knowledge management technologies. 

S0056 

Skill in using network management tools to analyze network traffic patterns (e.g., simple 
network management protocol). 

S0057 

Skill in using protocol analyzers. 

S0058 

Skill in using the appropriate tools for repairing software, hardware, and peripheral 
equipment of a system. 

S0059 

Skill in using Virtual Private Network (VPN) devices and encryption. 

S0060 

Skill in writing code in a currently supported programming language (e.g., Java, C++). 

S0061 

Skill in writing test plans. 

S0062 

Skill in analyzing memory dumps to extract information. 

S0063 

Skill in collecting data from a variety of cyber defense resources. 

S0064 

Skill in developing and executing technical training programs and curricula. 

S0065 

Skill in identifying and extracting data of forensic interest in diverse media (i.e., media 
forensics). 

S0066 

Skill in identifying gaps in technical capabilities. 

S0067 

Skill in identifying, modifying, and manipulating applicable system components within 
Windows, Unix, or Linux (e.g., passwords, user accounts, files). 

S0068 

Skill in collecting, processing, packaging, transporting, and storing electronic evidence to 
avoid alteration, loss, physical damage, or destruction of data. 

S0069 

Skill in setting up a forensic workstation. 

S0070 

Skill in talking to others to convey information effectively. 

S0071 

Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK). 
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S0072 

Skill in using scientific rules and methods to solve problems. 

S0073 

Skill in using virtual machines. 

S0074 

Skill in physically disassembling PCs. 

S0075 

Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile 
device systems). 

S0076 

Skill in configuring and utilizing software-based computer protection tools (e.g., software 
firewalls, anti-virus software, anti-spyware). 

S0077 

Skill in securing network communications. 

S0078 

Skill in recognizing and categorizing types of vulnerabilities and associated attacks. 

S0079 

Skill in protecting a network against malware. 

S0080 

Skill in performing damage assessments. 

S0081 

Skill in using network analysis tools to identify vulnerabilities. 

S0082 

Skill in evaluating test plans for applicability and completeness. 

S0083 

Skill in integrating black box security testing tools into quality assurance process of software 
releases. 

S0084 

Skill in configuring and utilizing network protection components (e.g., Firewalls, VPNs, 
network intrusion detection systems). 

S0085 

Skill in conducting audits or reviews of technical systems. 

S0086 

Skill in evaluating the trustworthiness of the supplier and/or product. 

S0087 

Skill in deep analysis of captured malicious code (e.g., malware forensics). 

S0088 

Skill in using binary analysis tools (e.g., Flexedit, command code xxd, hexdump). 

S0089 

Skill in one-way hash functions (e.g., Secure Flash Algorithm [SFTA], Message Digest 
Algorithm [MD5]). 

S0090 

Skill in analyzing anomalous code as malicious or benign. 

S0091 

Skill in analyzing volatile data. 

S0092 

Skill in identifying obfuscation techniques. 

S0093 

Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures. 

S0094 

Skill in reading Flexadecimal data. 

S0095 

Skill in identifying common encoding techniques (e.g.. Exclusive Disjunction [XOR], 
American Standard Code for Information Interchange [ASCII], Unicode, Base64, Uuencode, 
Uniform Resource Locator [URL] encode). 

S0096 

Skill in reading and interpreting signatures (e.g., snort). 

S0097 

Skill in applying security controls. 

S0098 

Skill in detecting host and network based intrusions via intrusion detection technologies. 

S0099 

Skill in determining how a security system should work and how changes in conditions, 
operations, or the environment will affect these outcomes. 

SO 100 

Skill in utilizing or developing learning activities (e.g., scenarios, instructional games, 
interactive exercises). 

S0101 

Skill in utilizing technologies (e.g., SmartBoards, websites, computers, projectors) for 
instructional purposes. 

SO 102 

Skill in applying technical delivery capabilities. 

SO 103 

Skill in assessing the predictive power and subsequent generalizability of a model. 

SO 104 

Skill in conducting Test Readiness Reviews. 

SO 105 

Skill in data mining techniques. 

SO 106 

Skill in data pre-processing (e.g., imputation, dimensionality reduction, normalization, 
transformation, extraction, filtering, smoothing). 

SO 107 

Skill in designing and documenting overall program Test & Evaluation strategies. 

S0108 

Skill in developing workforce and position qualification standards. 
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SO 109 

Skill in identifying hidden patterns or relationships. 

sono 

Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) 
requirements. 

SOI 11 

Skill in interfacing with customers. 

SOI 12 

Skill in managing test assets, test resources, and test personnel to ensure effective completion 
of test events. 

SOI 13 

Skill in performing format conversions to create a standard representation of the data. 

SOI 14 

Skill in performing sensitivity analysis. 

SOI 15 

Skill in preparing Test & Evaluation reports. 

SOI 16 

Skill in designing multi-level security/cross domain solutions. 

SOI 17 

Skill in providing Test & Evaluation resource estimate. 

SOI 18 

Skill in developing machine understandable semantic ontologies. 

SOI 19 

Skill in Regression Analysis (e.g., Elierarchical Stepwise, Generalized Linear Model, 

Ordinary Least Squares, Tree-Based Methods, Logistic). 

S0120 

Skill in reviewing logs to identify evidence of past intrusions. 

S0121 

Skill in system, network, and OS hardening techniques. 

SO 122 

Skill in the use of design methods. 

S0123 

Skill in transformation analytics (e.g., aggregation, enrichment, processing). 

SO 124 

Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work 
through resolution. 

S0125 

Skill in using basic descriptive statistics and techniques (e.g., normality, model distribution, 
scatter plots). 

S0126 

Skill in using data analysis tools (e.g.. Excel, STATA SAS, SPSS). 

S0127 

Skill in using data mapping tools. 

S0128 

Skill in using manpower and personnel IT systems. 

S0129 

Skill in using outlier identification and removal techniques. 

S0130 

Skill in writing scripts using R, Python, PIG, EIIVE, SQL, etc. 

S0131 

Skill in analyzing malware. 

S0132 

Skill in conducting bit-level analysis. 

S0133 

Skill in processing digital evidence, to include protecting and making legally sound copies of 
evidence. 

S0134 

Skill in conducting reviews of systems. 

S0135 

Skill in secure test plan design (e. g. unit, integration, system, acceptance). 

S0136 

Skill in network systems management principles, models, methods (e.g., end-to-end systems 
performance monitoring), and tools. 

S0137 

Skill in conducting application vulnerability assessments. 

S0138 

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities 
into applications (e.g., S/MIME email, SSL traffic). 

S0139 

Skill in applying security models (e.g., Bell-LaPadula model, Biba integrity model, Clark- 
Wilson integrity model). 

SOHO 

Skill in applying the systems engineering process. 

S0141 

Skill in assessing security systems designs. 

SO 142 

Skill in conducting research for troubleshooting novel client-level problems. 

S0143 

Skill in conducting system/server planning, management, and maintenance. 

SO 144 

Skill in correcting physical and technical problems that impact system/server performance. 

S0145 

Skill in integrating and applying policies that meet system security objectives. 

S0146 

Skill in creating policies that enable systems to meet performance objectives (e.g. traffic 
routing, SLA's, CPU specifications). 
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S0147 

Skill in assessing security controls based on cybersecurity principles and tenets. 

S0148 

Skill in designing the integration of technology processes and solutions, including legacy 
systems and modem programming languages. 

S0149 

Skill in developing applications that can log and handle errors, exceptions, and application 
faults and logging. 

S0150 

Skill in implementing and testing network infrastructure contingency and recovery plans. 

S0151 

Skill in troubleshooting failed system components (i.e., servers) 

SO 152 

Skill in translating operational requirements into protection needs (i.e., security controls). 

S0153 

Skill in identifying and anticipating system/server performance, availability, capacity, or 
configuration problems. 

SO 154 

Skill in installing system and component upgrades. 

S0155 

Skill in monitoring and optimizing system/server performance. 

S0156 

Skill in performing packet-level analysis (e.g., Wireshark, tcpdump, etc.). 

S0157 

Skill in recovering failed systems/servers. 

S0158 

Skill in operating system administration. 

S0159 

Skill in configuring and validating network workstations and peripherals in accordance with 
approved standards and/or specifications. 

SO 160 

Skill in the use of design modeling (e.g., unified modeling language). 

S0161 

Withdrawn - Integrated into SO 160 

SO 162 

Skill in sub-netting. 

SO 163 

Withdrawn - Integrated into S0060 

SO 164 

Skill in assessing the application of cryptographic standards. 

SO 165 

Skill in collecting, packaging, transporting, and storing electronic evidence to avoid 
alteration, loss, physical damage, or destruction of data. 

SO 166 

Skill in identifying gaps in technical delivery capabilities. 

SO 167 

Skill in recognizing vulnerabilities in security systems. 

S0168 

Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and 
encryption. 

SO 169 

Skill in conducting trend analysis. 

SO 170 

Skill in configuring and utilizing computer protection components (e.g., hardware firewalls, 
servers, routers, as appropriate). 

S0171 

Skill in performing impact/risk assessments. 

SO 172 

Skill in applying secure coding techniques. 

SO 173 

Skill in using security event correlation tools. 

SO 174 

Skill in using code analysis tools. 

SO 175 

Skill in performing root cause analysis. 

SO 176 

Skill in administrative planning activities, to include preparation of functional and specific 
support plans, preparing and managing correspondence, and staffing procedures. 

SO 177 

Skill in analyzing a target's communication networks. 

S0178 

Skill in analyzing essential network data (e.g., router configuration files, routing protocols). 

SO 179 

Skill in analyzing language processing tools to provide feedback to enhance tool 
development. 

S0180 

Withdrawn - Integrated into S0062 

SOI 81 

Skill in analyzing midpoint collection data. 

SO 182 

Skill in analyzing target communications internals and externals collected from wireless 

LANs. 

S0183 

Skill in analyzing terminal or environment collection data. 

SO 184 

Skill in analyzing traffic to identify network devices. 
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S0185 

Skill in applying analytical methods typically employed to support planning and to justify 
recommended strategies and courses of action. 

S0186 

Skill in applying crisis planning procedures. 

S0187 

Skill in applying various analytical methods, tools, and techniques (e.g., competing 
hypotheses; chain of reasoning; scenario methods; denial and deception detection; high 
impact-low probability; network/association or link analysis; Bayesian, Delphi, and Pattern 
analyses). 

S0188 

Skill in assessing a target's frame of reference (e.g., motivation, technical capability, 
organizational structure, sensitivities). 

S0189 

Skill in assessing and/or estimating effects generated during and after cyber operations. 

SO 190 

Skill in assessing current tools to identify needed improvements. 

S0191 

Skill in assessing the applicability of available analytical tools to various situations. 

SO 192 

Skill in auditing firewalls, perimeters, routers, and intrusion detection systems. 

SO 193 

Skill in complying with the legal restrictions for targeted information. 

SO 194 

Skill in conducting non-attributable research. 

SO 195 

Skill in conducting research using all available sources. 

SO 196 

Skill in conducting research using deep web. 

SO 197 

Skill in conducting social network analysis, buddy list analysis, and/or cookie analysis. 

S0198 

Skill in conducting social network analysis. 

SO 199 

Skill in creating and extracting important information from packet captures. 

S0200 

Skill in creating collection requirements in support of data acquisition activities. 

S0201 

Skill in creating plans in support of remote operations. 

S0202 

Skill in data mining techniques (e.g., searching file systems) and analysis. 

S0203 

Skill in defining and characterizing all pertinent aspects of the operational environment. 

S0204 

Skill in depicting source or collateral data on a network map. 

S0205 

Skill in determining appropriate targeting options through the evaluation of available 
capabilities against desired effects. 

S0206 

Skill in determining installed patches on various operating systems and identifying patch 
signatures. 

S0207 

Skill in determining the effect of various router and firewall configurations on traffic patterns 
and network performance in both LAN and WAN environments. 

S0208 

Skill in determining the physical location of network devices. 

S0209 

Skill in developing and executing comprehensive cyber operations assessment programs for 
assessing and validating operational performance characteristics. 

S0210 

Skill in developing intelligence reports. 

S0211 

Skill in developing or recommending analytic approaches or solutions to problems and 
situations for which information is incomplete or for which no precedent exists. 

S0212 

Skill in disseminating items of highest intelligence value in a timely manner. 

S0213 

Skill in documenting and communicating complex technical and programmatic information. 

S0214 

Skill in evaluating accesses for intelligence value. 

S0215 

Skill in evaluating and interpreting metadata. 

S0216 

Skill in evaluating available capabilities against desired effects in order to provide effective 
courses of action. 

S0217 

Skill in evaluating data sources for relevance, reliability, and objectivity. 

S0218 

Skill in evaluating information for reliability, validity, and relevance. 

S0219 

Skill in evaluating information to recognize relevance, priority, etc. 

S0220 

Skill in exploiting/querying organizational and/or partner collection databases. 

S0221 

Skill in extracting information from packet captures. 
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S0222 

Skill in fusion analysis 

S0223 

Skill in generating operation plans in support of mission and target requirements. 

S0224 

Skill in gisting target communications. 

S0225 

Skill in identifying a target’s communications networks. 

S0226 

Skill in identifying a target's network characteristics. 

S0227 

Skill in identifying alternative analytical interpretations in order to minimize unanticipated 
outcomes. 

S0228 

Skill in identifying critical target elements, to include critical target elements for the cyber 
domain. 

S0229 

Skill in identifying cyber threats which may jeopardize organization and/or partner interests. 

S0230 

Withdrawn - Integrated into S0066 

S0231 

Skill in identifying how a target communicates. 

S0232 

Skill in identifying intelligence gaps and limitations. 

S0233 

Skill in identifying language issues that may have an impact on organization objectives. 

S0234 

Skill in identifying leads for target development. 

S0235 

Skill in identifying non-target regional languages and dialects 

S0236 

Skill in identifying the devices that work at each level of protocol models. 

S0237 

Skill in identifying, locating, and tracking targets via geospatial analysis techniques 

S0238 

Skill in information prioritization as it relates to operations. 

S0239 

Skill in interpreting compiled and interpretive programming languages. 

S0240 

Skill in interpreting metadata and content as applied by collection systems. 

S0241 

Skill in interpreting traceroute results, as they apply to network analysis and reconstruction. 

S0242 

Skill in interpreting vulnerability scanner results to identify vulnerabilities. 

S0243 

Skill in knowledge management, including technical documentation techniques (e.g., Wiki 
page). 

S0244 

Skill in managing client relationships, including determining client needs/requirements, 
managing client expectations, and demonstrating commitment to delivering quality results. 

S0245 

Skill in navigating network visualization software. 

S0246 

Skill in number normalization. 

S0247 

Skill in performing data fusion from existing intelligence for enabling new and continued 
collection. 

S0248 

Skill in performing target system analysis. 

S0249 

Skill in preparing and presenting briefings. 

S0250 

Skill in preparing plans and related correspondence. 

S0251 

Skill in prioritizing target language material. 

S0252 

Skill in processing collected data for follow-on analysis. 

S0253 

Skill in providing analysis on target-related matters (e.g., language, cultural, 
communications). 

S0254 

Skill in providing analysis to aid writing phased after action reports. 

S0255 

Skill in providing real-time, actionable geolocation information utilizing target 
infrastructures. 

S0256 

Skill in providing understanding of target or threat systems through the identification and link 
analysis of physical, functional, or behavioral relationships. 

S0257 

Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, 
VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data 
files, automating manual tasks, and fetching/processing remote data). 

S0258 

Skill in recognizing and inteipreting malicious network activity in traffic. 

S0259 

Skill in recognizing denial and deception techniques of the target. 


88 






NIST SP 800-181 (Draft) 


NICE Cybersecurity Workforce Framework (NCWF) 


ID 

Description 

S0260 

Skill in recognizing midpoint opportunities and essential information. 

S0261 

Skill in recognizing relevance of information. 

S0262 

Skill in recognizing significant changes in a target’s communication patterns. 

S0263 

Skill in recognizing technical information that may be used for leads for metadata analysis. 

S0264 

Skill in recognizing technical information that may be used for leads to enable remote 
operations (data includes users, passwords, email addresses, IP ranges of the target, frequency 
in DNI behavior, mail servers, domain servers, SMTP header information). 

S0265 

Skill in recognizing technical information that may be used for target development including 
intelligence development. 

S0266 

Skill in relevant programming languages (e.g., C++, Python, etc.). 

S0267 

Skill in remote command line and Graphic User Interface (GUI) tool usage. 

S0268 

Skill in researching essential information. 

S0269 

Skill in researching vulnerabilities and exploits utilized in traffic. 

S0270 

Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and 
strings analysis) to identify function and ownership of remote tools. 

S0271 

Skill in reviewing and editing assessment products. 

S0272 

Skill in reviewing and editing intelligence products from various sources for cyber operations. 

S0273 

Skill in reviewing and editing plans. 

S0274 

Skill in reviewing and editing target materials. 

S0275 

Skill in server administration. 

S0276 

Skill in survey, collection, and analysis of wireless LAN metadata. 

S0277 

Skill in synthesizing, analyzing, and prioritizing meaning across data sets. 

S0278 

Skill in tailoring analysis to the necessary levels (e.g., classification and organizational). 

S0279 

Skill in target development in direct support of collection operations. 

S0280 

Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target 
implementation of new technologies). 

S0281 

Skill in technical writing. 

S0282 

Skill in testing and evaluating tools for implementation. 

S0283 

Skill in transcribing target language communications. 

S0284 

Skill in translating target graphic and/or voice language materials. 

S0285 

Skill in using Boolean operators to construct simple and complex queries. 

S0286 

Skill in using databases to identify target-relevant information. 

S0287 

Skill in using geospatial data and applying geospatial resources. 

S0288 

Skill in using multiple analytic tools, databases, and techniques (e.g., Analyst’s Notebook, A- 
Space, Anchory, M3, divergent/convergent thinking, link charts, matrices, etc.). 

S0289 

Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and tools 
in conducting open-source searches. 

S0290 

Skill in using non-attributable networks. 

S0291 

Skill in using research methods including multiple, different sources to reconstruct a target 
network. 

S0292 

Skill in using targeting databases and software packages. 

S0293 

Skill in using tools, techniques, and procedures to remotely exploit and establish persistence 
on a target. 

S0294 

Skill in using trace route tools and inteipreting the results as they apply to network analysis 
and reconstruction. 

S0295 

Skill in using various open source data collection tools (online trade, DNS, mail, etc.). 

S0296 

Skill in utilizing feedback in order to improve processes, products, and services. 
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S0297 

Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat rooms, 
SharePoint). 

S0298 

Skill in verifying the integrity of all files. 

S0299 

Skill in wireless network target analysis, templating, and geolocation. 

S0300 

Skill in writing (and submitting) requirements to meet gaps in technical capabilities. 

S0301 

Skill in writing about facts and ideas in a clear, convincing, and organized manner. 

S0302 

Skill in writing effectiveness reports. 

S0303 

Skill in writing, reviewing and editing cyber-related Intelligence/assessment products from 
multiple sources. 

S0304 

Skill to access information on current assets available, usage. 

S0305 

Skill to access the databases where plans/directives/guidance are maintained. 

S0306 

Skill to analyze strategic guidance for issues requiring clarification and/or additional 
guidance. 

S0307 

Skill to analyze target or threat sources of strength and morale. 

S0308 

Skill to anticipate intelligence capability employment requirements. 

S0309 

Skill to anticipate key target or threat activities which are likely to prompt a leadership 
decision. 

S0310 

Skill to apply analytical standards to evaluate intelligence products. 

S0311 

Skill to apply the capabilities, limitations and tasking methodologies of available platforms, 
sensors, architectures and apparatus as they apply to organization objectives. 

S0312 

Skill to apply the process used to assess the performance and impact of cyber operations. 

S0313 

Skill to articulate a needs statement/requirement and integrate new and emerging collection 
capabilities, accesses and/or processes into collection operations. 

S0314 

Skill to articulate intelligence capabilities available to support execution of the plan. 

S0315 

Skill to articulate the needs of joint planners to all-source analysts. 

S0316 

Skill to associate Intelligence gaps to priority information requirements and observables. 

S0317 

Skill to compare and contrast indicators/observables with requirements. 

S0318 

Skill to conceptualize the entirety of the intelligence process in the multiple domains and 
dimensions. 

S0319 

Skill to convert intelligence requirements into intelligence production tasks. 

S0320 

Skill to coordinate the development of tailored intelligence products. 

S0321 

Skill to correlate intelligence priorities to the allocation of intelligence resources/assets. 

S0322 

Skill to craft indicators of operational progress/success. 

S0323 

Skill to create and maintain up-to-date planning documents and tracking of 
services/production. 

S0324 

Skill to determine feasibility of collection. 

S0325 

Skill to develop a collection plan that clearly shows the discipline that can be used to collect 
the information needed. 

S0326 

Skill to distinguish between notional and actual resources and their applicability to the plan 
under development. 

S0327 

Skill to ensure that the collection strategy leverages all available resources. 

S0328 

Skill to evaluate factors of the operational environment to objectives, and information 
requirements. 

S0329 

Skill to evaluate requests for information to determine if response information exists. 

S0330 

Skill to evaluate the capabilities, limitations and tasking methodologies of organic, theater, 
national, coalition and other collection capabilities. 

S0331 

Skill to express orally and in writing the relationship between intelligence capability 
limitations and decision making risk and impacts on the overall operation. 
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S0332 

Skill to extract information from available tools and applications associated with collection 
requirements and collection operations management. 

S0333 

Skill to graphically depict decision support materials containing intelligence and partner 
capability estimates. 

S0334 

Skill to identify and apply tasking, collection, processing, exploitation and dissemination to 
associated collection disciplines. 

S0335 

Skill to identify Intelligence gaps. 

S0336 

Skill to identify when priority information requirements are satisfied. 

S0337 

Skill to implement established procedures for evaluating collection management and 
operations activities. 

S0338 

Skill to interpret planning guidance to discern level of analytical support required. 

S0339 

Skill to interpret readiness reporting, its operational relevance and intelligence collection 
impact. 

S0340 

Skill to monitor target or threat situation and environmental factors. 

S0341 

Skill to monitor threat effects to partner capabilities and maintain a running estimate. 

S0342 

Skill to optimize collection system performance through repeated adjustment, testing, and re¬ 
adjustment. 

S0343 

Skill to orchestrate intelligence planning teams, coordinate collection and production support, 
and monitor status. 

S0344 

Skill to prepare and deliver reports, presentations and briefings, to include using visual aids or 
presentation technology. 

S0345 

Skill to relate intelligence resources/assets to anticipated intelligence requirements. 

S0346 

Skill to resolve conflicting collection requirements. 

S0347 

Skill to review performance specifications and historical information about collection assets. 

S0348 

Skill to specify collections and/or taskings that must be conducted in the near term. 

S0349 

Skill to synchronize operational assessment procedures with the critical information 
requirement process. 

S0350 

Skill to synchronize planning activities and required intelligence support. 

S0351 

Skill to translate the capabilities, limitations and tasking methodologies of organic, theater, 
national, coalition and other collection capabilities. 

S0352 

Skill to use collaborative tools and environments. 

S0353 

Skill to use systems and/or tools to track collection requirements and determine whether or 
not they are satisfied. 

S0354 

Skill in creating policies that reflect the business’s core privacy objectives. 

S0355 

Skill in negotiating vendor agreements and evaluating vendor privacy practices. 

S0356 

Skill in communicating with all levels of management including Board members (e.g., 
inteipersonal skills, approachability, effective listening skills, appropriate use of style and 
language for the audience). 

S0357 

Skill to anticipate new security threats. 

S0358 

Skill to remain aware of evolving technical infrastructures. 

S0359 

Skill to use critical thinking to analyze organizational patterns and relationships. 


852 
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853 A.7 NCWF Ability Descriptions 

854 Table 8 provides a listing of specific abilities that might be demonstrated by a person in a given 

855 cybersecurity position. Selected ability descriptions from this list are included in the Detailed 

856 Work Role Listing in Appendix B. Because the list of abilities has evolved over many years and 

857 is expected to continue to do so, it is not sorted in a particular order and will simply continue to 

858 grow sequentially. 

859 Table 8 - NCWF Ability Descriptions 


ID 

Description 

A0001 

Ability to identify systemic security issues based on the analysis of vulnerability and 
configuration data. 

A0002 

Ability to match the appropriate knowledge repository technology for a given application or 
environment. 

A0003 

Ability to determine the validity of technology trend data. 

A0004 

Ability to develop curriculum that speaks to the topic at the appropriate level for the target 
audience. 

A0005 

Ability to decrypt digital data collections. 

A0006 

Ability to prepare and deliver education and awareness briefings to ensure that systems, 
network, and data users are aware of and adhere to systems security policies and procedures. 

A0007 

Ability to tailor code analysis for application-specific concerns. 

A0008 

Ability to apply the methods, standards, and approaches for describing, analyzing, and 
documenting an organization's enteiprise information technology (IT) architecture (e.g., 

Open Group Architecture Framework [TOGAF], Department of Defense Architecture 
Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]). 

A0009 

Ability to apply supply chain risk management standards. 

A0010 

Ability to analyze malware. 

A0011 

Ability to answer questions in a clear and concise manner. 

A0012 

Ability to ask clarifying questions. 

A0013 

Ability to communicate complex information, concepts, or ideas in a confident and well- 
organized manner through verbal, written, and/or visual means. 

A0014 

Ability to communicate effectively when writing. 

A0015 

Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. 

A0016 

Ability to facilitate small group discussions. 

A0017 

Ability to gauge learner understanding and knowledge level. 

A0018 

Ability to prepare and present briefings. 

A0019 

Ability to produce technical documentation. 

A0020 

Ability to provide effective feedback to students for improving learning. 

A0021 

Ability to use and understand complex mathematical concepts (e.g., discrete math). 

A0022 

Ability to apply principles of adult learning. 

A0023 

Ability to design valid and reliable assessments. 

A0024 

Ability to develop clear directions and instructional materials. 

A0025 

Ability to accurately define incidents, problems, and events in the trouble ticketing system. 

A0026 

Ability to analyze test data. 

A0027 

Ability to apply an organization's goals and objectives to develop and maintain architecture. 

A0028 

Ability to assess and forecast manpower requirements to meet organizational objectives. 

A0029 

Ability to build complex data structures and high-level programming languages. 

A0030 

Ability to collect, verify, and validate test data. 
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ID 

Description 

A0031 

Ability to conduct and implement market research to understand government and industry 
capabilities and appropriate pricing. 

A0032 

Ability to develop curriculum for use within a virtual environment. 

A0033 

Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, 
and standards in support of organizational cyber activities. 

A0034 

Ability to develop, update, and/or maintain standard operating procedures (SOPs). 

A0035 

Ability to dissect a problem and examine the interrelationships between data that may appear 
unrelated. 

A0036 

Ability to identify basic common coding flaws at a high level. 

A0037 

Ability to leverage best practices and lessons learned of external organizations and academic 
institutions dealing with cyber issues. 

A0038 

Ability to optimize systems to meet enterprise performance requirements. 

A0039 

Ability to oversee the development and update of the lifecycle cost estimate. 

A0040 

Ability to translate data and test results into evaluative conclusions. 

A0041 

Ability to use data visualization tools (e.g., Flare, FlighCharts, AmCharts, D3.js, Processing, 
Google Visualization API, Tableau, Raphael.js). 

A0042 

Ability to develop career path opportunities. 

A0043 

Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments. 

A0044 

Ability to apply programming language structures (e.g., source code review) and logic. 

A0045 

Ability to evaluate/ensure the trustworthiness of the supplier and/or product. 

A0046 

Ability to monitor and assess the potential impact of emerging technologies on laws, 
regulations, and/or policies. 

A0047 

Ability to develop secure software according to secure software deployment methodologies, 
tools, and practices. 

A0048 

Ability to apply network security architecture concepts including topology, protocols, 
components, and principles (e.g., application of defense-in-depth). 

A0049 

Ability to apply secure system design tools, methods and techniques. 

A0050 

Ability to apply system design tools, methods, and techniques, including automated systems 
analysis and design tools. 

A0051 

Ability to execute technology integration processes. 

A0052 

Ability to operate network equipment including hubs, routers, switches, bridges, servers, 
transmission media, and related hardware. 

A0053 

Ability to determine the validity of workforce trend data. 

A0054 

Ability to apply the Instructional System Design (ISD) methodology. 

A0055 

Ability to operate common network tools (e.g., ping, traceroute, nslookup). 

A0056 

Ability to ensure security practices are followed throughout the acquisition process. 

A0057 

Ability to tailor curriculum that speaks to the topic at the appropriate level for the target 
audience. 

A0058 

Ability to execute OS command line (e.g., ipconfig, netstat, dir, nbtstat). 

A0059 

Ability to operate the organization's LAN/WAN pathways. 

A0060 

Ability to build architectures and frameworks. 

A0061 

Ability to design architectures and frameworks. 

A0062 

Ability to monitor measures or indicators of system performance and availability. 

A0063 

Ability to operate different electronic communication systems and methods (e.g., e-mail, 

VOIP, IM, web forums. Direct Video Broadcasts). 

A0064 

Ability to interpret and translate customer requirements into operational capabilities. 

A0065 

Ability to monitor traffic flows across the network. 


93 






NIST SP 800-181 (Draft) 


NICE Cybersecurity Workforce Framework (NCWF) 


ID 

Description 

A0066 

Ability to accurately and completely source all data used in intelligence, assessment and/or 
planning products. 

A0067 

Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work 
environment. 

A0068 

Ability to apply approved planning development and staffing processes. 

A0069 

Ability to apply collaborative skills and strategies. 

A0070 

Ability to apply critical reading/thinking skills. 

A0071 

Ability to apply language and cultural expertise to analysis. 

A0072 

Ability to clearly articulate intelligence requirements into well-formulated research questions 
and data tracking variables for inquiry tracking purposes. 

A0073 

Ability to clearly articulate intelligence requirements into well-formulated research questions 
and requests for information. 

A0074 

Ability to collaborate effectively with others. 

A0075 

Ability to communicate complex information, concepts, or ideas in a confident and well- 
organized manner through verbal, written, and/or visual means. 

A0076 

Ability to coordinate and collaborate with analysts regarding surveillance requirements and 
essential information development. 

A0077 

Ability to coordinate cyber operations with other organization functions or support activities. 

A0078 

Ability to coordinate, collaborate and disseminate information to subordinate, lateral and 
higher-level organizations. 

A0079 

Ability to correctly employ each organization or element into the collection plan and matrix. 

A0080 

Ability to develop or recommend analytic approaches or solutions to problems and situations 
for which information is incomplete or for which no precedent exists. 

A0081 

Ability to develop or recommend planning solutions to problems and situations for which no 
precedent exists. 

A0082 

Ability to effectively collaborate via virtual teams. 

A0083 

Ability to evaluate information for reliability, validity, and relevance. 

A0084 

Ability to evaluate, analyze, and synthesize large quantities of data (which may be 
fragmented and contradictory) into high quality, fused targeting/intelligence products. 

A0085 

Ability to exercise judgment when policies are not well-defined. 

A0086 

Ability to expand network access by conducting target analysis and collection in order to 
identify targets of interest. 

A0087 

Ability to focus research efforts to meet the customer’s decision-making needs. 

A0088 

Ability to function effectively in a dynamic, fast-paced environment. 

A0089 

Ability to function in a collaborative environment, seeking continuous consultation with 
other analysts and experts—both internal and external to the organization—in order to 
leverage analytical and technical expertise. 

A0090 

Ability to identify external partners with common cyber operations interests. 

A0091 

Ability to identify intelligence gaps. 

A0092 

Ability to identify/describe target vulnerability. 

A0093 

Ability to identify/describe techniques/methods for conducting technical exploitation of the 
target. 

A0094 

Ability to interpret and apply laws, regulations, policies, and guidance relevant to 
organization cyber objectives. 

A0095 

Ability to interpret and translate customer requirements into operational action. 

A0096 

Ability to interpret and understand complex and rapidly evolving concepts. 

A0097 

Ability to monitor system operations and react to events in response to triggers and/or 
observation of trends or unusual activity. 
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Description 

A0098 

Ability to participate as a member of planning teams, coordination groups, and task forces as 
necessary. 

A0099 

Ability to perform network collection tactics, techniques, and procedures to include 
decryption capabilities/tools. 

AO 100 

Ability to perform wireless collection procedures to include decryption capabilities/tools. 

A0101 

Ability to recognize and mitigate cognitive biases which may affect analysis. 

AO 102 

Ability to recognize and mitigate deception in reporting and analysis. 

AO 103 

Ability to review processed target language materials for accuracy and completeness. 

AO 104 

Ability to select the appropriate implant to achieve operational goals. 

AO 105 

Ability to tailor technical and planning information to a customer’s level of understanding. 

AO 106 

Ability to think critically. 

AO 107 

Ability to think like threat actors. 

AO 108 

Ability to understand objectives and effects. 

AO 109 

Ability to utilize multiple intelligence sources across all intelligence disciplines. 

A0110 

Ability to monitor advancements in information privacy laws to ensure organizational 
adaptation and compliance. 

A0111 

Ability to work across departments and business units to implement organization’s privacy 
principles and programs, and align privacy objectives with security objectives. 

A0112 

Ability to monitor advancements in information privacy technologies to ensure 
organizational adaptation and compliance. 

A0113 

Ability to determine whether a security incident violates a privacy principle or legal standard 
requiring specific legal action. 

A0114 

Ability to develop or procure curriculum that speaks to the topic at the appropriate level for 
the target. 

A0115 

Ability to work across departments and business units to implement organization’s privacy 
principles and programs, and align privacy objectives with security objectives. 

A0116 

Ability to prioritize and allocate cybersecurity resources correctly and efficiently. 

A0117 

Ability to relate strategy, business, and technology in the context of organizational dynamics. 

A0118 

Ability to understand technology, management, and leadership issues related to organization 
processes and problem solving. 

A0119 

Ability to understand the basic concepts and issues related to cyber and its organizational 
impact. 


860 
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Appendix B—Work Role Detail Listing 


862 The following section provides a detailed description of each NCWF Work Role. For each of the 

863 current Work Roles, as described in the NCWF, the listing below provides the following 

864 information: 


865 

866 

867 

868 

869 

870 

871 

872 

873 

874 

875 

876 

877 

878 

879 


880 


• A unique NCWF Work Role ID, based upon the NCWF Category and Specialty Area to 
which that Work Role belongs; 

• The Specialty Area supporting the Work Role; 

• The formal Work Role name, followed by the OPM job code identifier in parentheses; 

• A description of the Work Role; 

• A list of the NCWF Tasks that a person in a cybersecurity position that includes the Work 
Role might be expected to perform; 

• A list of the NCWF Knowledge areas that a person in a cybersecurity position that 
includes the Work Role might be expected to exhibit; 

• A list of the NCWF Skills that a person in a cybersecurity position that includes the Work 
Role might be expected to possess; and, 

• A list of the NCWF Abilities that a person in a cybersecurity position that includes the 
Work Role might be expected to demonstrate. 

The following tables describe the NCWF Work Roles. As described in Section 4, this listing will be 
updated periodically based upon industry feedback and changes to the cybersecurity landscape. 


Work Role ID 

SP-RM-001 

Category 

Securely Provision (SP) 

Specialty Area 

Risk Management (RM) 

Work Role Name 

Authorizing Official (611) 

Work Role 
Description 

Senior official or executive with the authority to formally assume responsibility for 
operating an information system at an acceptable level of risk to organizational 
operations (including mission, functions, image, or reputation), organizational 
assets, individuals, other organizations, and the Nation (CNSSI 4009). 

Tasks 

T0145, T0221, T0371, T0495 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0013, K0019, K0027, K0028, 
K0037, K0038, K0040, K0044, K0048, K0049, K0054, K0059, K0084, K0085, 
K0089, K0101, K0146, K0168, K0169, K0170, K0179, K0199, K0203, K0260, 
K0261, K0262, K0267, K0295, K0322, K0342 

Skills 

S0034 

Abilities 

[None specified] 
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Work Role ID 

SP-RM-001 

Category 

Securely Provision (SP) 

Specialty Area 

Risk Management (RM) 

Work Role Name 

Authorizing Official (611) 

Work Role 
Description 

Senior official or executive with the authority to formally assume responsibility for 
operating an information system at an acceptable level of risk to organizational 
operations (including mission, functions, image, or reputation), organizational 
assets, individuals, other organizations, and the nation (CNSSI 4009). 

Tasks 

T0145, T0221, T0371, T0495 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0013, K0019, K0027, K0028, 
K0037, K0038, K0040, K0044, K0048, K0049, K0054, K0059, K0084, K0085, 
K0089, K0101, KOI46, K0168, K0169, K0170, K0179, K0199, K0203, K0260, 
K0261, K0262, K0267, K0295, K0322, K0342 

Skills 

S0034 

Abilities 

[None specified] 


881 


Work Role ID 

SP-RM-002 

Category 

Securely Provision (SP) 

Specialty Area 

Risk Management (RM) 

Work Role Name 

Security Control Assessor (612) 

Work Role 
Description 

Conducts independent comprehensive assessments of the management, operational, 
and technical security controls and control enhancements employed within or 
inherited by an information technology (IT) system to determine the overall 
effectiveness of the controls (as defined in NIST 800-37). 

Tasks 

T0032, T0072, T0079, T0083, T0141, T0150, T0183, T0184, T0197, T0218, 

T0221, T0244, T0245, T0251, T0301 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0013, K0019, K0027, K0028, 
K0037, K0038, K0040, K0044, K0048, K0049, K0054, K0059, K0084, K0085, 
K0089, K0101, KOI46, K0168, K0169, K0170, K0179, K0199, K0203, K0260, 
K0261, K0262, K0267, K0287, K0322, K0342 

Skills 

S0001, S0006, S0027, S0034, S0038, S0086 

Abilities 

[None specified] 


882 


Work Role ID 

SP-DEV-001 

Category 

Securely Provision (SP) 

Specialty Area 

Software Development (DEV) 

Work Role Name 

Software Developer (621) 

Work Role 

Develops, creates, maintains, and writes/codes new (or modifies existing) 

Description 

computer applications, software, or specialized utility programs. 

Tasks 

T0009, T0011, T0013, T0014, T0022, T0026, T0034, T0040, T0046, T0057, 

T0077, T0100, T0111, T0117, T0118, T0171, T0176, T0181, T0189, T0217, 

T0228, T0236, T0267, T0303, T0311, T0324, T0337, T0416, T0417, T0436, 

T0455, T0500, T0553, T0554 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0014, K0016, K0027, K0028, 
K0039, K0044, K0051, K0060, K0066, K0068, K0073, K0079, K0080, K0081, 
K0082, K0084, K0085, K0086, K0105, K0139, K0140, K0152, K0153, K0154, 

KOI70, KOI79, KOI99, K0202, K0219, K0260, K0261, K0262, K0263, K0322, 
K0331, K0342, K0343 

Skills 

S0001, S0014, S0017, S0019, S0022, S0031, S0034, S0060, S0135, S0138, S0149, 
S0174, S0175 
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883 


884 


885 


Abilities 


A0007, A0021, A0047 


Work Role ID 

SP-DEV-002 

Category 

Securely Provision (SP) 

Specialty Area 

Software Development (DEV) 

Work Role Name 

Secure Software Assessor (622) 

Work Role 
Description 

Analyzes the security of new or existing computer applications, software, or 
specialized utility programs and provides actionable results. 

Tasks 

T0013, T0014, T0022, T0038, T0040, T0100, T0111, T0117, T0118, T0171, 

T0181, T0217, T0228, T0236, T0266, T0311, T0324, T0337, T0424, T0428, 

T0436, T0456, T0457, T0516, T0554 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0014, K0016, K0027, K0028, 
K0039, K0044, K0051, K0060, K0066, K0068, K0073, K0079, K0080, K0081, 
K0082, K0084, K0085, K0086, K0105, K0139, K0140, K0152, K0153, K0154, 

KOI70, KOI78, KOI79, K0199, K0202, K0219, K0260, K0261, K0262, K0263, 
K0322, K0342, K0343 

Skills 

S0001, S0022, S0031, S0034, S0083, S0135, S0138, S0174, S0175 

Abilities 

A0021 


Work Role ID 

SP-ARC-001 

Category 

Securely Provision (SP) 

Specialty Area 

Systems Architecture (ARC) 

Work Role Name 

Enterprise Architect (651) 

Work Role 
Description 

Develops and maintains business, systems, and information processes to support 
enterprise mission needs; develops information technology (IT) rules and 
requirements that describe baseline and target architectures. 

Tasks 

T0051, T0084, T0090, T0108, T0196, T0205, T0307, T0314, T0328, T0338, 

T0427, T0440, T0448, T0473, T0517, T0521, T0542, T0555, T0557 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0024, K0027, K0028, K0030, 
K0035, K0037, K0043, K0044, K0052, K0056, K0060, K0061, K0063, K0074, 
K0075, K0082, K0091, K0093, KOI02, KOI70, KOI79, KOI80, KOI98, K0200, 
K0203, K0207, K0211, K0212, K0214, K0227, K0240, K0264, K0275, K0286, 
K0287, K0291, K0293, K0299, K0322, K0323, K0325, K0326, K0332, K0333 

Skills 

S0005, S0024, S0050, S0060, S0099, S0122 

Abilities 

A0008, A0015, A0027, A0038, A0051, A0060 


Work Role ID 

SP-ARC-002 

Category 

Securely Provision (SP) 

Specialty Area 

Systems Architecture (ARC) 

Work Role Name 

Security Architect (652) 

Work Role 
Description 

Designs enterprise and systems security throughout the development life cycle; 
translates technology and environmental conditions (e.g., law and regulation) into 
security designs and processes. 

Tasks 

T0050, T0051, T0071, T0082, T0084, T0090, TO 108, TO 177, TO 196, T0203, 

T0205, T0268, T0307, T0314, T0328, T0338, T0427, T0448, T0473, T0484, 

T0542, T0556 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0015, K0018, K0019, K0024, 
K0027, K0030, K0035, K0036, K0037, K0043, K0044, K0052, K0055, K0056, 
K0060, K0061, K0063, K0074, K0082, K0091, K0092, K0093, K0102, K0170, 

KOI80, KOI98, K0200, K0207, K0211, K0212, K0214, K0227, K0240, K0260, 
K0261, K0262, K0264, K0275, K0286, K0287, K0291, K0293, K0320, K0322, 
K0323, K0325, K0332, K0333, K0336 

Skills 

S0005, S0024, S0027, S0050, S0060, S0099, SOI 16, S0122, S0139, S0152, S0168 

Abilities 

A0008, A0015, A0027, A0038, A0048, A0049, A0050, A0061 


Work Role ID 

SP-RD-001 

Category 

Securely Provision (SP) 

Specialty Area 

Technology R&D (RD) 

Work Role Name 

Research and Development Specialist (661) 

Work Role 
Description 

Conducts software and systems engineering and software systems research in order 
to develop new capabilities, ensuring cybersecurity is fully integrated. Conducts 
comprehensive technology research to evaluate potential vulnerabilities in 
cyberspace systems. 

Tasks 

T0064, T0249, T0250, T0283, T0284, T0327, T0329, T0409, T0410, T0411, 

T0413, T0547 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0009, K0019, K0059, K0090, 

KOI69, KOI70, K0171, KOI72, KOI73, KOI74, KOI75, KOI76, KOI79, K0202, 
K0209, K0267, K0268, K0269, K0271, K0272, K0288, K0296, K0310, K0314, 
K0321, K0342 

Skills 

S0005, S0017, S0072, SOHO, S0148, S0172 

Abilities 

A0001, A0018, A0019 


Work Role ID 

SP-RP-001 

Category 

Securely Provision (SP) 

Specialty Area 

Systems Requirements Planning (RP) 

Work Role Name 

Systems Requirements Planner (641) 

Work Role 
Description 

Consults with customers to evaluate functional requirements and translate 
functional requirements into technical solutions. 

Tasks 

T0033, T0039, T0045, T0052, T0062, T0127, T0156, T0174, T0191, T0235, 

T0273, T0300, T0313, T0325, T0334, T0454, T0463, T0497 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0008, K0012, K0018, K0019, 
K0032, K0035, K0038, K0043, K0044, K0045, K0047, K0055, K0056, K0059, 
K0060, K0061, K0063, K0066, K0067, K0073, K0074, K0086, K0087, K0090, 
K0091, K0093, KOI01, KOI02, KOI63, KOI64, KOI68, KOI69, KOI70, KOI80, 
K0200, K0267, K0287, K0325, K0332, K0333 

Skills 

S0005, S0006, S0008, S0010, S0050, S0134 

Abilities 

A0064 


Work Role ID 

SP-TE-001 

Category 

Securely Provision (SP) 

Specialty Area 

Test and Evaluation (TE) 

Work Role Name 

System Test & Evaluation Specialist (671) 

Work Role 
Description 

Plans, prepares, and executes tests of systems to evaluate results against 
specifications and requirements as well as analyze/report test results. 

Tasks 

T0058, T0080, T0143, T0257, T0274, T0393, T0426, T0511, T0512, T0513, 

T0539, T0540 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0027, K0028, K0037, K0044, 
K0057, K0088, K0102, K0139, K0169, K0170, K0179, K0199, K0203, K0212, 
K0250, K0260, K0261, K0262, K0287, K0332 

Skills 

S0015, S0021, S0026, S0030, S0048, S0060, S0061, S0082, S0104, S0107, S0110, 
SOI 12, SO115, SOI17 

Abilities 

A0026, A0030, A0040 


Work Role ID 

SP-SYS-001 

Category 

Securely Provision (SP) 

Specialty Area 

Systems Development (SYS) 

Work Role Name 

Information Systems Security Developer (631) 

Work Role 
Description 

Designs, develops, tests, and evaluates information system security throughout the 
systems development life cycle. 

Tasks 

T0012, T0015, T0018, T0019, T0021, T0032, T0053, T0055, T0056, T0061, 

T0069, T0070, T0076, T0078, T0105, T0107, T0109, T0119, T0122, T0124, 

T0181, T0201, T0205, T0228, T0231, T0242, T0269, T0270, T0271, T0272, 

T0304, T0326, T0359, T0446, T0449, T0466, T0509, T0518, T0527, T0541, 

T0544 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0015, K0018, K0024, K0027, 
K0028, K0030, K0032, K0035, K0036, K0044, K0045, K0049, K0050, K0052, 
K0055, K0056, K0060, K0061, K0063, K0065, K0066, K0067, K0073, K0081, 
K0082, K0084, K0086, K0087, K0090, K0091, K0093, KOI02, KOI39, KOI69, 

KOI70, KOI79, KOI80, K0200, K0203, K0260, K0261, K0262, K0276, K0287, 
K0297, K0308, K0322, K0325, K0331, K0333, K0336 

Skills 

S0001, S0022, S0023, S0024, S0031, S0034, S0036, S0085, S0145, S0160 

Abilities 

[None specified] 


Work Role ID 

SP-SYS-002 

Category 

Securely Provision (SP) 

Specialty Area 

Systems Development (SYS) 

Work Role Name 

Systems Developer (632) 

Work Role 

Designs, develops, tests, and evaluates information systems throughout the systems 

Description 

development life cycle. 

Tasks 

T0012, T0021, T0053, T0056, T0061, T0067, T0070, T0107, T0109, T0119, 

T0181, T0201, T0205, T0228, T0242, T0304, T0326, T0350, T0358, T0359, 

T0378, T0406, T0447, T0449, T0464, T0466, T0480, T0488, T0518, T0528, 

T0538, T0541, T0544, T0558, T0559, T0560 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0015, K0018, K0024, K0027, 
K0028, K0030, K0032, K0035, K0036, K0044, K0045, K0049, K0050, K0052, 
K0055, K0056, K0060, K0061, K0063, K0065, K0066, K0067, K0073, K0081, 
K0082, K0084, K0086, K0087, K0090, K0091, K0093, KOI02, KOI39, KOI69, 

KOI70, KOI79, KOI80, K0200, K0203, K0207, K0212, K0227, K0260, K0261, 
K0262, K0276, K0287, K0297, K0308, K0322, K0325, K0332, K0333, K0336 

Skills 

S0018, S0022, S0023, S0024, S0031, S0034, S0036, S0060, S0085, S0097, S0098, 
S0136, S0145, S0146, S0160 

Abilities 

[None specified] 
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Work Role ID 

OM-DA-OOl 

Category 

Operate and Maintain (OM) 

Specialty Area 

Data Administration (DA) 

Work Role Name 

Database Administrator (421) 

Work Role 
Description 

Administers databases and/or data management systems that allow for the storage, 
query, and utilization of data. 

Tasks 

T0008, T0137, T0139, T0140, T0146, T0152, T0162, T0210, T0305, T0306, 

T0330, T0422, T0459, T0490 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0020, K0021, K0022, K0023, 
K0025, K0031, K0056, K0060, K0065, K0069, K0083, K0097, K0260, K0261, 
K0262, K0277, K0278, K0279, K0287, K0420 

Skills 

S0002, S0013, S0037, S0042, S0045 

Abilities 

[None specified] 


892 


Work Role ID 

OM-DA-002 

Category 

Operate and Maintain (OM) 

Specialty Area 

Data Administration (DA) 

Work Role Name 

Data Analyst (422) 

Work Role 
Description 

Examines data from multiple disparate sources with the goal of providing new 
insight. Designs and implements custom algorithms, flow processes and layouts for 
complex, enterprise-scale data sets used for modeling, data mining, and research 
purposes. 

Tasks 

T0007, T0008, T0068, T0146, T0195, T0210, T0342, T0347, T0349, T0351, 

T0353, T0361, T0366, T0381, T0382, T0383, T0385, T0392, T0402, T0403, 

T0404, T0405, T0460 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0015, K0016, K0020, K0022, 
K0023, K0025, K0031, K0051, K0056, K0060, K0065, K0068, K0069, K0083, 
K0095, KOI29, K0139, K0140, K0193, K0197, K0229, K0236, K0238, K0325, 
K0328, K0420 

Skills 

S0013, S0017, S0028, S0029, S0037, S0060, S0088, S0089, S0094, S0095, S0103, 
S0105, S0106, S0109, SOI 13, SOI 14, SOI 18, SOI 19, S0123, S0125, S0126, S0127, 
S0129, S0130, S0160 

Abilities 

A0029, A0035, A0036, A0041, A0066 


893 


Work Role ID 

OM-KM-OOl 

Category 

Operate and Maintain (OM) 

Specialty Area 

Knowledge Management (KM) 

Work Role Name 

Knowledge Manager (431) 

Work Role 
Description 

Responsible for the management and administration of processes and tools that 
enable the organization to identify, document, and access intellectual capital and 
information content. 

Tasks 

T0037, T0060, T0154, T0185, T0209, T0339, T0421, T0452, T0524 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0013, K0094, K0095, K0096, 

KOI46, K0194, K0195, K0228, K0260, K0261, K0262, K0283, K0287, K0315, 
K0338, K0420 

Skills 

S0011, S0012, S0049, S0055 

Abilities 

A0002 


894 
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Work Role ID 

OM-TS-OOl 

Category 

Operate and Maintain (OM) 

Specialty Area 

Customer Service and Technical Support (TS) 

Work Role Name 

Technical Support Specialist (411) 

Work Role 
Description 

Provides technical support to customers who need assistance utilizing client level 
hardware and software in accordance with established or approved organizational 
process components, (i.e., Master Incident Management Plan, when applicable). 

Tasks 

T0237, T0308, T0315, T0331, T0468, T0482, T0491, T0494, T0496, T0502, 

T0530 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0053, K0088, KOI 14, K0237, 
K0242, K0247, K0260, K0261, K0262, K0287, K0292, K0294, K0302, K0306, 
K0317, K0330 

Skills 

S0039, S0058, S0142, S0159 

Abilities 

A0025, A0034 


895 


Work Role ID 

OM-NET-OOl 

Category 

Operate and Maintain (OM) 

Specialty Area 

Network Services (NET) 

Work Role Name 

Network Operations Specialist (441) 

Work Role 
Description 

Plans, implements, and operates network services/systems, to include hardware and 
virtual environments. 

Tasks 

T0035, T0065, T0081, T0121, T0125, T0126, T0129, T0153, T0160, T0200, 

T0232 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0010, K0011, K0029, K0038, 
K0049, K0050, K0053, K0061, K0071, K0076, K0093, KOI04, KOI08, KOI 13, 
K0135, KOI36, K0137, K0138, K0159, K0160, K0179, K0180, K0181, K0200, 
K0201, K0203, K0260, K0261, K0262, K0287, K0307, K0332 

Skills 

S0004, S0035, S0040, S0041, S0056, S0077, S0079, S0084, S0150, S0162, S0170 

Abilities 

A0052, A0055, A0058, A0059, A0062, A0063, A0065 


896 


Work Role ID 

OM-SA-001 

Category 

Operate and Maintain (OM) 

Specialty Area 

Systems Administration (SA) 

Work Role Name 

System Administrator (451) 

Work Role 

Installs, configures, troubleshoots, and maintains hardware, software, and 

Description 

administers system accounts. 

Tasks 

T0029, T0054, T0063, T0136, T0144, T0186, T0207, T0418, T0431, T0435, 

T0458, T0461, T0498, T0501, T0507, T0514, T0515, T0531 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0049, K0053, K0064, K0077, 
K0088, K0100, KOI03, K0104, KOI 17, K0130, K0158, K0167, K0179, K0181, 
K0260, K0261, K0262, K0280, K0289, K0318, K0327, K0331, K0346 

Skills 

S0016, S0033, S0043, S0073, S0076, SOI 11, S0143, S0144, S0151, S0153, S0154, 
S0155, S0157, S0158 

Abilities 

[None specified! 
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Work Role ID 

OM-AN-OOl 

Category 

Operate and Maintain (OM) 

Specialty Area 

Systems Analysis (AN) 

Work Role Name 

Systems Security Analyst (461) 

Work Role 
Description 

Responsible for the analysis and development of the integration, testing, 
operations, and maintenance of systems security. 

Tasks 

T0015, T0016, TOO 17, T0085, T0086, T0088, T0123, T0128, T0169, T0177, 

T0187, T0194, T0202, T0205, T0243, T0309, T0344, T0462, T0469, T0470, 

T0475, T0477, T0485, T0489, T0492, T0499, T0504, T0508, T0526, T0545, 

T0548 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0015, K0018, K0019, K0024, 
K0035, K0036, K0040, K0044, K0049, K0056, K0060, K0061, K0063, K0075, 
K0082, K0093, KOI02, KOI79, KOI80, K0200, K0203, K0227, K0232, K0260, 
K0261, K0262, K0263, K0266, K0267, K0275, K0276, K0281, K0284, K0285, 
K0287, K0290, K0297, K0322, K0329, K0333, K0339 

Skills 

S0024, S0027, S0031, S0036, S0060, S0141, S0147, S0167 

Abilities 

A0015 


898 


Work Role ID 

OV-LG-001 

Category 

Oversee and Govern (OV) 

Specialty Area 

Legal Advice and Advocacy (LG) 

Work Role Name 

Cyber Legal Advisor (731) 

Work Role 
Description 

Provides legal advice and recommendations on relevant topics related to cyber law. 

Tasks 

T0006, T0098, T0102, T0131, T0220, T0419, T0434, T0465, T0474, T0476, 

T0478, T0487, T0522 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0017, K0059, KOI07, KOI57, 
K0312, K0316, K0341 

Skills 

[None specified] 

Abilities 

A0046 


899 


Work Role ID 

OV-LG-002 

Category 

Oversee and Govern (OV) 

Specialty Area 

Legal Advice and Advocacy (LG) 

Work Role Name 

Privacy Compliance Manager (732) 

Work Role 
Description 

Develops and oversees privacy compliance program and privacy program staff, 
supporting privacy compliance needs of privacy and security executives and their 
teams. 

Tasks 

T0003, T0004, T0032, T0066, T0098, T0099, T0131, T0133, T0188, T0381, 

T0384, T0478, T0861, T0862, T0863, T0864, T0865, T0866, T0867, T0868, 

T0869, T0870, T0871, T0872, T0873, T0874, T0875, T0876, T0877, T0878, 

T0879, T0880, T0881, T0882, T0883, T0884, T0885, T0886, T0887, T0888, 

T0889, T0890, T0891, T0892, T0893, T0894, T0895, T0896, T0897, T0898, 

T0899, T0900, T0901, T0902, T0903, T0904, T0905, T0906, T0907, T0908, 

T0909, T0910, T0911, T0912, T0913, T0914, T0915, T0916, T0917, T0918, 

T0919 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0008, K0066, KOI68, K0606, 
K0607, K0608, K0609, K0610, K0611, K0612, K0613, K0614 

Skills 

S0354, S0355, S0356 
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900 


902 


Abilities A0024, A0033, A0034, AO 104, AO 105, AO 110, AO 111, AO 112, AO 113, AO 114, 

_ API 15 _ 

Work Role ID QV-ED-001 

Category _ Oversee and Govern (OV) _ 

Specialty Area Training, Education, and Awareness (ED) _ 

Work Role Name Cyber Instructional Curriculum Developer (711) _ 

Work Role Develops, plans, coordinates, and evaluates cyber training/education courses, 

Description _ methods, and techniques based on instructional needs. _ 

Tasks T0230, T0247, T0345, T0352, T0357, T0365, T0367, T0380, T0437, T0442, 

_ T0450, T0534, T0536, T0926 _ 

Knowledge K0001, K0002, K0003, K0004, K0005, K0006, K0059, K0124, K0146, K0147, 

_ K0239, K0245, K0246, K0252, K0287 _ 

Skills _ S0064, S0066, S0070, S0102, S0166 _ 

Abilities A0004, A0032, A0054 

Work Role ID QV-ED-002 

Category _ Oversee and Govern (OV) _ 

Specialty Area Training, Education, and Awareness (ED) _ 

Work Role Name Cyber Instructor (712) _ 

Work Role Develops and conducts training or education of personnel within cyber domain. 

Description _ 

Tasks T0030, T0073, T0101, T0224, T0230, T0247, T0316, T0317, T0318, T0319, 

T0320, T0321, T0322, T0323, T0443, T0444, T0450, T0467, T0519, T0520, 

_ T0535, T0536, T0926 _ 

Knowledge K0001, K0002, K0003, K0004, K0005, K0006, K0059, KOI 15, K0124, K0130, 

KOI46, KOI47, K0204, K0208, K0213, K0215, K0216, K0217, K0218, K0220, 

_ K0226, K0287, K0319 _ 

Skills _ S0064, S0070, S0100, S0101 _ 

Abilities A0006, A0011, A0012, A0013, A0014, A0016, A0017, A0020, A0022, A0023, 

_A0024, A0057_ 


Work Role ID 

OV-MG-001 

Category 

Oversee and Govern (OV) 

Specialty Area 

Cybersecurity Management (MG) 

Work Role Name 

Information Systems Security Manager (722) 

Work Role 
Description 

Responsible for the cybersecurity of a program, organization, system, or enclave. 

Tasks 

T0001, T0002, T0003, T0004, T0005, T0024, T0025, T0044, T0089, T0091, 

T0092, T0093, T0095, T0097, T0099, T0106, T0115, T0130, T0132, T0133, 

T0134, T0135, T0147, T0148, T0149, T0151, T0157, T0158, T0159, T0192, 

TO 199, T0206, T0211, T0213, T0215, T0219, T0227, T0229, T0234, T0239, 

T0248, T0254, T0255, T0256, T0263, T0264, T0265, T0275, T0276, T0277, 

T0280, T0281, T0282 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0008, K0018, K0021, K0026, 
K0033, K0038, K0040, K0042, K0043, K0046, K0048, K0053, K0054, K0058, 
K0059, K0061, K0070, K0072, K0076, K0077, K0087, K0090, K0092, K0101, 

KOI06, K0121, K0126, K0149, K0150, K0151, K0163, K0167, K0168, K0169, 

KOI70, KOI79, KOI80, KOI99, K0260, K0261, K0262, K0267, K0287, K0332, 
K0342 
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Skills 

S0018, S0027, S0086 

Abilities 

[None specified] 


903 


Work Role ID 

OV-MG-002 

Category 

Oversee and Govern (OV) 

Specialty Area 

Cybersecurity Management (MG) 

Work Role Name 

COMSEC Manager (723) 

Work Role 
Description 

Individual who manages the Communications Security (COMSEC) resources of an 
organization (CNSSI 4009). 

Tasks 

T0003, T0004, T0025, T0044, T0089, T0095, T0099, T0215, T0229 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0018, K0026, K0038, K0042, 
K0090, K0101, K0121, K0126, K0163, K0267, K0287 

Skills 

S0027 

Abilities 

[None specified] 


904 


Work Role ID 

OV-PL-001 

Category 

Oversee and Govern (OV) 

Specialty Area 

Strategic Planning and Policy (PL) 

Work Role Name 

Cyber Workforce Developer and Manager (751) 

Work Role 
Description 

Develops cyberspace workforce plans, strategies and guidance to support 
cyberspace workforce manpower, personnel, training and education requirements 
and to address changes to cyberspace policy, doctrine, materiel, force structure, and 
education and training requirements. 

Tasks 

T0074, T0094, T0116, T0222, T0226, T0341, T0355, T0356, T0362, T0363, 

T0364, T0368, T0369, T0372, T0373, T0374, T0375, T0376, T0384, T0387, 

T0388, T0390, T0391, T0408, T0425, T0429, T0441, T0445, T0472, T0481, 

T0505, T0506, T0529, T0533, T0537, T0552 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0070, K0127, K0146, K0166, 

KOI68, K0233, K0234, K0241, K0243, K0309, K0311, K0313, K0335 

Skills 

S0108, S0128 

Abilities 

A0028, A0033, A0037, A0042, A0053 


905 


Work Role ID 

OV-PL-002 

Category 

Oversee and Govern (OV) 

Specialty Area 

Strategic Planning and Policy Development 

Work Role Name 

Cyber Policy and Strategy Planner (752) 

Work Role 
Description 

Develops cyberspace plans, strategy and policy to support and align with 
organizational cyberspace missions and initiatives. 

Tasks 

T0074, T0094, T0222, T0226, T0341, T0369, T0384, T0390, T0408, T0425, 

T0429, T0441, T0445, T0472, T0505, T0506, T0529, T0533, T0537 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0070, K0127, K0146, K0168, 
K0234, K0248, K0309, K0311, K0313, K0335 

Skills 

[None specified] 

Abilities 

A0003, A0033, A0037 


906 


Work Role ID 

OV-EX-001 

Category 

Executive Cyber Leadership (EX) 

Specialty Area 

Oversee and Govern (OV) 

Work Role Name 

Executive Cyber Leadership (901) 
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Work Role 
Description 

Executes decision making authorities and establishes vision and direction for an 
organization's cyber and cyber-related resources and/or operations. 

Tasks 

T0001, T0002, T0006, T0066, TO 157, T0229, T0264, T0282, T0337, T0356, 

T0429, T0445, T0509, T0763, T0871, T0872, T0927, T0928 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0009, K0085, K0106, K0314, 
K0296, KOI47 

Skills 

S0356, S0357, S0358, S0359 

Abilities 

A0033, A0070, A0085, A0094, A0105, A0106, A0116, A0117, A0118, A0119 


907 


Work Role ID 

OV-PM-001 

Category 

Oversee and Govern (OV) 

Specialty Area 

Acquisition and Program/Project Management (PM) 

Work Role Name 

Program Manager (801) 

Work Role 
Description 

Leads, coordinates, communicates, integrates and is accountable for the overall 
success of the program, ensuring alignment with critical agency priorities 

Tasks 

T0066, T0072, T0174, T0199, T0220, T0223, T0256, T0273, T0277, T0302, 

T0340, T0354, T0377, T0379, T0407, T0412, T0414, T0415, T0481, T0493, 

T0551 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0047, K0048, K0072, K0090, 
K0101, KOI20, KOI46, K0148, K0154, K0164, K0165, K0169, K0194, K0196, 

KOI98, K0200, K0235, K0257, K0270 

Skills 

S0038 

Abilities 

A0009, A0039, A0045, A0056, 


908 


Work Role ID 

OV-PM-002 

Category 

Oversee and Govern (OV) 

Specialty Area 

Acquisition and Program/Project Management (PM) 

Work Role Name 

Information Technology (IT) Project Manager (802) 

Work Role 
Description 

Directly manages information technology projects to provide a unique service or 
product. 

Tasks 

T0072, T0174, T0196, T0199, T0207, T0208, T0220, T0223, T0256, T0273, 

T0277, T0340, T0354, T0370, T0377, T0379, T0389, T0394, T0407, T0412, 

T0414, T0415, T0481, T0493, T0551 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0012, K0043, K0047, K0048, 
K0059, K0072, K0090, K0101, K0120, K0146, K0148, K0154, K0164, K0165, 

KOI69, KOI94, KOI96, KOI98, K0200, K0235, K0257, K0270 

Skills 

S0038 

Abilities 

A0009, A0039, A0045, A0056 


909 


Work Role ID 

OV-PM-003 

Category 

Oversee and Govern (OV) 

Specialty Area 

Acquisition and Program/Project Management (PM) 

Work Role Name 

Product Support Manager (803) 

Work Role 
Description 

Manages the package of support functions required to field and maintain the 
readiness and operational capability of systems and components. 

Tasks 

T0072, T0174, T0196, T0204, T0207, T0208, T0220, T0223, T0256, T0273, 

T0277, T0302, T0340, T0354, T0370, T0377, T0389, T0394, T0412, T0414, 

T0493, T0525, T0551, T0553 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0043, K0048, K0059, K0072, 
K0090, KOI20, KOI48, KOI50, KOI54, KOI64, KOI65, KOI69, KOI94, KOI96, 

KOI98, K0200, K0235, K0249, K0257, K0270 

Skills 

S0038 

Abilities 

A0009, A0031, A0039, A0045, A0056 


910 


Work Role ID 

OV-PM-004 

Category 

Oversee and Govern (OV) 

Specialty Area 

Acquisition and Program/Project Management (PM) 

Work Role Name 

IT Investment/Portfolio Manager (804) 

Work Role 
Description 

Manages a portfolio of IT capabilities that align with the overall needs of mission 
and business enterprise priorities. 

Tasks 

T0220, T0223, T0277, T0302, T0377, T0415, T0493, T0551 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0048, K0072, K0120, K0126, 

KOI46, KOI54, K0165, K0169, K0235, K0257, K0270 

Skills 

[None specified] 

Abilities 

A0039 


911 


Work Role ID 

OV-PM-005 

Category 

Oversee and Govern (OV) 

Specialty Area 

Acquisition and Program/Project Management (PM) 

Work Role Name 

IT Program Auditor (805) 

Work Role 

Conducts evaluations of an IT program or its individual components, to determine 

Description 

compliance with published standards. 

Tasks 

T0072, T0207, T0208, T0223, T0256, T0389, T0412, T0415 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0043, K0047, K0048, K0072, 
K0090, KOI20, K0148, K0154, K0165, K0169, K0198, K0200, K0235, K0257, 
K0270 

Skills 

S0038, S0085 

Abilities 

A0056 


Work Role ID 

PR-DA-001 

Category 

Protect and Defend (PR) 

Specialty Area 

Cyber Defense Analysis (DA) 

Work Role Name 

Cyber Defense Analyst (511) 

Work Role 
Description 

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, 
firewalls, network traffic logs.) to analyze events that occur within their 
environments for the purposes of mitigating threats. 

Tasks 

T0020, T0023, T0043, T0088, TO 155, TO 164, TO 166, TO 178, TO 187, TO 198, 

T0214, T0258, T0259, T0260, T0290, T0291, T0292, T0293, T0294, T0295, 

T0296, T0297, T0298, T0299, T0310, T0332, T0469, T0470, T0475, T0503, 

T0504, T0526, T0545, T0548 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0007, K0013, K0015, K0018, 
K0019, K0024, K0033, K0040, K0042, K0044, K0046, K0049, K0056, K0058, 
K0059, K0060, K0061, K0065, K0070, K0074, K0075, K0093, K0098, K0099, 

KOI04, KOI06, KOI 10, KOI 11, KOI 12, KOI 13, KOI 16, K0139, K0142, K0143, 

KOI57, KOI60, K0161, K0162, K0167, K0168, K0179, K0180, K0190, K0191, 

KOI92, K0203, K0221, K0222, K0260, K0261, K0262, K0273, K0290, K0297, 
K0300, K0301, K0303, K0318, K0322, K0324, K0331, K0339, K0342 
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Skills 

S0020, S0025, S0027, S0036, S0054, S0057, S0063, S0078, S0096, S0147, S0167, 
SO 169 

Abilities 

A0010, A0015, A0066 


913 


Work Role ID 

PR-INF-001 

Category 

Protect and Defend (PR) 

Specialty Area 

Cyber Defense Infrastructure Support (INF) 

Work Role Name 

Cyber Defense Infrastructure Support Specialist (521) 

Work Role 
Description 

Tests, implements, deploys, maintains, and administers the infrastructure hardware 
and software. 

Tasks 

T0042, T0180, T0261, T0335, T0348, T0420, T0438, T0483, T0486 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0021, K0033, K0042, K0044, 
K0062, KOI04, KOI06, KOI35, KOI57, KOI79, K0205, K0258, K0274, K0324, 
K0331, K0334, K0340 

Skills 

S0007, S0053, S0054, S0059, S0077, S0079, S0121, S0124 

Abilities 

[None specified] 


914 


Work Role ID 

PR-IR-001 

Category 

Protect and Defend (PR) 

Specialty Area 

Incident Response (IR) 

Work Role Name 

Cyber Defense Incident Responder (531) 

Work Role 
Description 

Investigates, analyzes, and responds to cyber incidents within the network 
environment or enclave. 

Tasks 

T0041, T0047, T0161, T0163, T0170, T0175, T0214, T0233, T0246, T0262, 

T0278, T0279, T0312, T0333, T0395, T0503, T0510 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0021, K0026, K0033, K0034, 
K0041, K0042, K0046, K0058, K0062, K0070, K0106, K0157, K0161, K0162, 

KOI67, KOI77, KOI79, K0221, K0225, K0230, K0259, K0287, K0332 

Skills 

S0003, S0047, S0077, S0078, S0079, S0080, S0173 

Abilities 

[None specified] 


915 


Work Role ID 

PR-VA-001 

Category 

Protect and Defend (PR) 

Specialty Area 

Vulnerability Assessment and Management (VA) 

Work Role Name 

Vulnerability Assessment Analyst (541) 

Work Role 
Description 

Performs assessments of systems and networks within the NE or enclave and 
identifies where those systems/networks deviate from acceptable configurations, 
enclave policy, or local policy. Measures effectiveness of defense-in-depth 
architecture against known vulnerabilities. 

Tasks 

T0010, T0028, T0138, T0142, T0188, T0252, T0549, T0550 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0009, K0019, K0021, K0033, 
K0044, K0056, K0061, K0068, K0070, K0085, K0089, KOI06, KOI39, K0161, 

KOI67, KOI77, KOI79, K0203, K0206, K0210, K0224, K0265, K0287, K0301, 
K0308, K0331, K0342, K0344, K0345 

Skills 

S0001, S0009, S0025, S0044, S0051, S0052, S0081, S0120, S0137, S0171 

Abilities 

A0001, A0044 


916 


Work Role ID 

AN-TA-001 

Category 

Analyze (AN) 
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Specialty Area 

Threat Analysis (TA) 

Work Role Name 

Warning Analyst (141) 

Work Role 
Description 

Develops unique cyber indicators to maintain constant awareness of the status of 
the highly dynamic operating environment. Collects, processes, analyzes, and 
disseminates cyber warning assessments. 

Tasks 

T0569, T0583, T0584, T0585, T0586, T0589, T0593, T0597, T0615, T0617, 

T0660, T0685, T0687, T0707, T0708, T0718, T0748, T0749, T0751, T0752, 

T0758, T0761, T0783, T0785, T0786, T0792, T0800, T0805, T0834 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, K0058, KOI73, K0348, 
K0349, K0362, K0369, K0370, K0377, K0392, K0395, K0405, K0409, K0415, 
K0417, K0427, K0431, K0436, K0437, K0440, K0444, K0445, K0446, K0449, 
K0458, K0460, K0464, K0469, K0471, K0480, K0511, K0516, K0556, K0560, 
K0561, K0565, K0603, K0604, K0610, K0612, K0614 

Skills 

SO194, S0196, S0203, S0211, S0218, S0227, S0228, S0229, S0249, S0256, S0278, 
S0285, S0288, S0289, S0296, S0297, S0303 

Abilities 

A0066, A0072, A0075, A0080, A0082, A0083, A0084, A0087, A0088, A0089, 
A0091, A0101, AO 102, A0106, A0107, A0109 


917 


Work Role ID 

AN-XA-001 

Category 

Analyze (AN) 

Specialty Area 

Exploitation Analysis (XA) 

Work Role Name 

Exploitation Analyst (121) 

Work Role 
Description 

Collaborates to identify access and collection gaps that can be satisfied through 
cyber collection and/or preparation activities. Leverages all authorized resources 
and analytic techniques to penetrate targeted networks. 

Tasks 

T0570, T0572, T0574, T0591, T0600, T0603, T0608, T0614, T0641, T0695, 

T0701, T0720, T0727, T0736, T0738, T0754, T0775, T0777 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0131, K0142, K0348, K0349, 
K0362, K0369, K0370, K0417, K0444, K0471, K0560, K0351, K0354, K0368, 
K0371, K0376, K0379, K0388, K0393, K0394, K0397, K0418, K0430, K0434, 
K0443, K0447, K0451, K0470, K0473, K0484, K0487, K0489, K0509, K0510, 
K0523, K0529, K0535, K0537, K0544, K0557, K0559, K0608 

Skills 

S0066, S0184, S0199, S0200, S0201, S0204, S0207, S0214, S0223, S0236, S0237, 
S0239, S0240, S0245, S0247, S0258, S0260, S0264, S0269, S0279, S0286, S0290, 
S0294, S0300 

Abilities 

A0066, A0075, A0080, A0084, A0074, A0086, A0092, A0093, A0104 


918 


Work Role ID 

AN-AN-001 

Category 

Analyze (AN) 

Specialty Area 

All-Source Analysis (AN) 

Work Role Name 

All-Source Analyst (111) 

Work Role 
Description 

Analyzes data/information from one or multiple sources to conduct preparation of 
the environment, respond to requests for information, and submit intelligence 
collection and production requirements in support of planning and operations. 

Tasks 

T0569, T0582, T0583, T0584, T0585, T0586, T0589, T0593, T0597, T0615, 

T0617, T0642, T0660, T0678, T0685, T0686, T0687, T0707, T0708, T0710, 

T0713, T0718, T0748, T0749, T0751, T0752, T0758, T0761, T0771, T0782, 

T0783, T0785, T0786, T0788, T0789, T0792, T0797, T0800, T0805, T0834 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, K0058, K0348, K0349, 
K0362, K0369, K0370, K0444, K0471, K0560, K0377, K0392, K0395, K0405, 
K0409, K0427, K0431, K0436, K0437, K0440, K0445, K0446, K0449, K0458, 
K0460, K0464, K0469, K0480, K0511, K0516, K0556, K0561, K0565, K0603, 
K0604, K0610, K0612, K0614, K0357, K0410, K0457, K0465, K0507, K0515, 
K0533, K0542, K0549, K0551, K0577, K0598 

Skills 

SO194, S0203, S0211, S0218, S0227, S0229, S0249, S0256,S0278, S0285, S0288, 
S0289,S0296, S0297, S0303, S0189, S0254 

Abilities 

A0066, A0075, A0080, A0084, A0072, A0082, A0083, A0085, A0087, A0088, 
A0089, A0091, A0101, A0102, A0106, A0107, A0108, A0109 


Work Role ID 

AN-AN-002 

Category 

Analyze (AN) 

Specialty Area 

All-Source Analysis (AN) 

Work Role Name 

Mission Assessment Specialist (112) 

Work Role 
Description 

Develops assessment plans and measures of performance/effectiveness. Conducts 
strategic and operational effectiveness assessments as required for cyber events. 
Determines whether systems performed as expected and provides input to the 
determination of operational effectiveness. 

Tasks 

T0582, T0583, T0585, T0586, T0588, T0589, T0593, T0597, T0611, T0615, 

T0617, T0624, T0660, T0661, T0663, T0678, T0684, T0685, T0686, T0707, 

T0718, T0748, T0749, T0752, T0758, T0761, T0782, T0783, T0785, T0786, 

T0788, T0789, T0793, T0797, T0834 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, K0058, K0348, K0349, 
K0362, K0369, K0370, K0377, K0392, K0395, K0405, K0409, K0410, K0414, 
K0417, K0427, K0431, K0436, K0437, K0440, K0444, K0445, K0446, K0449, 
K0457, K0460, K0464, K0465, K0469, K0471, K0480, K0507, K0511, K0516, 
K0549, K0551, K0556, K0560, K0561, K0565, K0598, K0603, K0604, K0610, 
K0612, K0614 

Skills 

S0189, S0194, S0203, S0211, S0216, S0218, S0227, S0228, S0229, S0249, S0254, 
S0256, S0271, S0278, S0285, S0288, S0289, S0292, S0296, S0297, S0303 

Abilities 

A0066, A0075, A0080, A0084, A0072, A0082, A0083, A0087, A0088, A0089, 
A0091, A0101, AO 102, A0106, A0107, A0109, A0085, A0108 


Work Role ID 

AN-TD-001 

Category 

Analyze (AN) 

Specialty Area 

Targets (TD) 

Work Role Name 

Target Developer (131) 

Work Role 
Description 

Performs target system analysis, builds and/or maintains electronic target folders to 
include inputs from environment preparation, and/or internal or external 
intelligence sources. Coordinates with partner target activities and intelligence 
organizations, and presents candidate targets for vetting and validation. 

Tasks 

T0597, T0617, T0707, T0582, T0782, T0797, T0588, T0624, T0661, T0663, 

T0684, T0642, T0710, T0561, T0594, T0599, T0633, T0650, T0652, T0688, 

T0717, T0731, T0744, T0769, T0770, T0776, T0781, T0790, T0794, T0798, 

T0799, T0802, T0815, T0824, T0835 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, K0058, K0142, K0173, 
K0348, K0349, K0362, K0369, K0370, K0444, K0471, K0560, K0392, K0395, 
K0409, K0427, K0431, K0436, K0437, K0440, K0445, K0446, K0449, K0460, 
K0464, K0516, K0556, K0561, K0565, K0603, K0604, K0614, K0457, K0465, 
K0507, K0549, K0551, K0598, K0417, K0458, K0357, K0533, K0542, K0351, 
K0379, K0473, K0381, K0402, K0413, K0426, K0439, K0461, K0466, K0478, 
K0479, K0497, K0543, K0546, K0547, K0555 

Skills 

SO194, S0203, S0218, S0227, S0229, S0249, S0256, S0278, S0285, S0288, S0289, 
S0296, S0297, S0189, S0228, S0216, S0292, S0196, S0187, S0205, S0208, S0222, 
S0248, S0274, S0287, S0302 

Abilities 

A0066, A0075, A0080, A0084, A0087, A0088, A0089, A0091, A0101, A0102, 

AO 106, AO 109, A0085, A0073 


Work Role ID 

AN-TD-002 

Category 

Analyze (AN) 

Specialty Area 

Targets (TD) 

Work Role Name 

Target Network Analyst (132) 

Work Role 
Description 

Conducts advanced analysis of collection and open-source data to ensure target 
continuity; to profile targets and their activities; and develop techniques to gain 
more target information. Determines how targets communicate, move, operate and 
live based on knowledge of target technologies, digital networks and the 
applications on them. 

Tasks 

T0617, T0707, T0582, T0797, T0624, T0710, T0599, T0650, T0802, T0595, 

T0606, T0607, T0621, T0653, T0692, T0706, T0715, T0722, T0745, T0765, 

T0767, T0778, T0803, T0807 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0348, K0349, K0362, K0369, 
K0370, K0444, K0471, K0392, K0395, K0431, K0436, K0440, K0445, K0449, 
K0516, K0379, K0473, K0413, K0439, K0479, K0547, K0487, K0544, K0559, 
K0389, K0403, K0424, K0442, K0462, K0472, K0483, K0500, K0520, K0550, 
K0567, K0592, K0599, K0600 

Skills 

SO194, S0203, S0229, S0256, S0228, S0196, S0187, S0205, S0208, S0222, S0248, 

S0274, S0287, S0177, S0178, S0181, S0183, S0191, S0197, S0217, S0219, S0220, 

S0225, S0231, S0234, S0244, S0246, S0259, S0261, S0262, S0263, S0268, S0277, 

S0280, S0291, S0301 

Abilities 

A0066, A0075, A0080, A0084, A0087, A0088, A0089, A0091, A0101, A0102, 

AO 106, A0109, A0085, A0073 


Work Role ID 

AN-LA-001 

Category 

Analyze (AN) 

Specialty Area 

Language Analysis (LA) 

Work Role Name 

Multi-Disciplined Language Analyst (151) 

Work Role 
Description 

Applies language and culture expertise with target/threat and technical knowledge 
to process, analyze, and/or disseminate intelligence information derived from 
language, voice and/or graphic material. Creates, and maintains language specific 
databases and working aids to support cyber action execution and ensure critical 
knowledge sharing. Provides subject matter expertise in foreign language¬ 
intensive or interdisciplinary projects. 

Tasks 

T0650, T0606, T0715, T0745, T0761, T0837, T0838, T0839, T0840, T0841, 

T0842, T0843, T0844, T0845, T0846, T0847, T0848, T0849, T0850, T0851, 

T0852, T0853, T0854, T0855, T0856, T0857, T0858, T0859, TO860 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, KOI73, K0348, K0431, K0449, 
K0413, K0487, K0462, K0520, K0550, K0567, K0599, K0600, K0417, K0377, 
K0434, K0356, K0359, K0367, K0391, K0396, K0398, K0407, K0416, K0476, 
K0488, K0491, K0493, K0524, K0532, K0539, K0540, K0541, K0545, K0548, 
K0564, K0571, K0574, K0579, K0596, K0606, K0607 

Skills 

S0187, S0217, S0244, S0259, S0262, S0277, S0218, S0184, S0290, S0179,S0188, 
S0193, S0195, S0198, S0210, S0212, S0215, S0224, S0226, S0232, S0233, S0235, 
S0241, S0251, S0253, S0265, S0283, S0284 

Abilities 

A0075, A0089, A0071, AO 103 


Work Role ID 

CO-CL-OOl 

Category 

Collect and Operate (CO) 

Specialty Area 

Collection Operations (CL) 

Work Role Name 

All Source-Collection Manager (311) 

Work Role 
Description 

Identifies collection authorities and environment; incorporates priority information 
requirements into collection management; develops concepts to meet leadership's 
intent. Determines capabilities of available collection assets, identifies new 
collection capabilities; and constructs and disseminates collection plans. Monitors 
execution of tasked collection to ensure effective execution of the collection plan. 

Tasks 

T0562, T0564, T0568, T0573, T0578, T0604, T0605, T0625, T0626, T0631, 

T0632, T0634, T0645, T0646, T0647, T0649, T0651, T0657, T0662, T0674, 

T0681, T0683, T0698, T0702, T0714, T0716, T0721, T0723, T0725, T0734, 

T0737, T0750, T0753, T0755, T0757, T0773, T0779, T0806, T0809, T0810, 

T0811, T0812, T0814, T0820, T0821, T0827 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, K0058, K0431, K0449, 
K0417, K0579, K0596, K0369, K0444, K0471, K0392, K0395, K0440, K0445, 
K0516, K0560, K0427, K0446, K0561, K0565, K0405, K0480, K0610, K0612, 
K0353, K0361, K0364, K0366, K0380, K0382, K0383, K0386, K0387, K0390, 
K0401, K0404, K0412, K0419, K0425, K0435, K0448, K0453, K0454, K0467, 
K0474, K0475, K0477, K0482, K0492, K0495, K0496, K0498, K0503, K0505, 
K0513, K0521, K0522, K0526, K0527, K0552, K0553, K0554, K0558, K0562, 
K0563, K0569, K0570, K0580, K0581, K0583, K0584, K0587, K0588, K0601, 
K0605, K0613 

Skills 

S0238, S0304, S0305, S0311, S0313, S0316, S0317, S0324, S0325, S0327, S0328, 
S0330, S0332, S0334, S0335, S0336, S0339, S0342, S0344, S0347, S0351, S0352 

Abilities 

A0069, A0070, A0076, A0078, A0079 


Work Role ID 

CO-CL-002 

Category 

Collect and Operate (CO) 

Specialty Area 

Collection Operations (CL) 

Work Role Name 

All Source-Collection Requirements Manager (312) 

Work Role 
Description 

Evaluates collection operations and develops effects-based collection requirements 
strategies using available sources and methods to improve collection. Develops, 
processes, validates, and coordinates submission of collection requirements. 
Evaluates performance of collection assets and collection operations. 

Tasks 

T0564, T0568, T0578, T0605, T0651, T0714, T0725, T0734, T0809, T0810, 

T0811, T0565, T0577, T0580, T0596, T0602, T0613, T0668, T0673, T0675, 

T0682, T0689, T0693, T0694, T0730, T0746, T0780, T0819, T0822, T0830, 

T0831, T0832, T0833 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, K0058, K0431, K0417, 
K0579, K0596, K0369, K0444, K0395, K0445, K0516, K0560, K0427, K0446, 
K0561, K0565, K0480, K0610, K0612, K0353, K0361, K0364, K0366, K0380, 
K0382, K0383, K0384, K0386, K0387, K0390, K0401, K0404, K0412, K0419, 
K0421, K0425, K0435, K0448, K0453, K0454, K0467, K0474, K0475, K0477, 
K0482, K0492, K0495, K0496, K0498, K0505, K0513, K0521, K0526, K0527, 
K0552, K0554, K0558, K0562, K0563, K0568, K0569, K0570, K0580, K0581, 
K0584, K0587, K0588, K0605 

Skills 

S0304, S0305, S0316, S0317, S0327, S0330, S0334, S0335, S0336, S0339, S0344, 
S0347, S0352, S0329 S0337, S0346, S0348, S0353 

Abilities 

A0069, A0070, A0078 


Work Role ID 

CO-PL-OOl 

Category 

Collect and Operate (CO) 

Specialty Area 

Cyber Operational Planning (PL) 

Work Role Name 

Cyber Intel Planner (331) 

Work Role 
Description 

Develops detailed intelligence plans to satisfy cyber operations requirements. 
Collaborates with cyber operations planners to identify, validate, and levy 
requirements for collection and analysis. Participates in targeting selection, 
validation, synchronization, and execution of cyber actions. Synchronizes 
intelligence activities to support organization objectives in cyberspace. 

Tasks 

T0734, T0563, T0575, T0576, T0579, T0581, T0587, T0590, T0592, T0601, 

T0627, T0628, T0630, T0636, T0637, T0638, T0639, T0640, T0648, T0656, 

T0659, T0667, T0670, T0676, T0680, T0690, T0691, T0705, T0709, T0711, 

T0719, T0726, T0728, T0733, T0735, T0739, T0743, T0760, T0763, T0772, 

T0784, T0801, T0808, T0816, T0836 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, KOI73, K0431, K0417, 
K0444, K0395, K0445, K0560, K0427, K0446, K0561, K0565, K0480, K0610, 
K0612, K0435, K0471, K0392, K0440, K0405, K0348, K0377, K0349, K0362, 
K0370, K0436, K0379, K0403, K0460, K0464, K0556, K0603, K0614, K0465, 
K0507, K0598, K0511, K0414, K0577, K0347, K0350, K0352, K0355, K0358, 
K0374, K0378, K0399, K0400, K0408, K0411, K0422, K0432, K0441, K0455, 
K0456, K0459, K0463, K0494, K0501, K0502, K0504, K0506, K0508, K0512, 
K0514, K0517, K0518, K0519, K0525, K0538, K0566, K0572, K0575, K0578, 
K0582, K0585, K0586, K0589, K0590, K0591, K0593, K0594, K0595, K0602 

Skills 

S0218, S0203, S0249, S0278, S0296, S0297, S0176, S0185, S0186, S0213, S0250, 
S0272, S0273, S0306, S0307, S0308, S0309, S0310, S0312,S0314, S0315,S0318, 
S0319, S0320, S0321, S0322, S0323, S0331, S0333, S0338,S0340, S0341, S0343, 
S0345, S0350 

Abilities 

A0066, A0070, A0075, A0089, A0085, A0082, A0074. A0067. A0068. A0077. 
A0081. A0090. A0094. A0096. A0098. AO 105 


Work Role ID 

CO-PL-002 

Category 

Collect and Operate (CO) 

Specialty Area 

Cyber Operational Planning (PL) 

Work Role Name 

Cyber Ops Planner (332) 

Work Role 
Description 

Develops detailed plans for the conduct or support of the applicable range of cyber 
operations through collaboration with other planners, operators and/or analysts. 
Participates in targeting selection, validation, synchronization, and enables 
integration during the execution of cyber actions. 
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Tasks 

T0734, T0563, T0579, T0581, T0592, T0627, T0628, T0640, T0648, T0667, 

T0670, T0680, T0690, T0719, T0733, T0739, T0743, T0763, T0772, T0801, 

T0836, T0571, T0622, T0635, T0654, T0655, T0658, T0665, T0672, T0679, 

T0699, T0703, T0704, T0732, T0741, T0742, T0747, T0764, T0787, T0791, 

T0795, T0813, T0823 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0036, K0173, K0431, K0417, 
K0444, K0395, K0445, K0560, K0446, K0561, K0565, K0480, K0610, K0612, 
K0435, K0471, K0392, K0348, K0377, K0349, K0362, K0370, K0436, K0379, 
K0403, K0464, K0556, K0603, K0614, K0465, K0507, K0598, K0511, K0414, 
K0347, K0350, K0352, K0374, K0378, K0399, K0400, K0408, K0411, K0422, 
K0432, K0455, K0494, K0501, K0502, K0504, K0506, K0508, K0512, K0514, 
K0518, K0519, K0525, K0538, K0566, K0572, K0582, K0585, K0586, K0589, 
K0590, K0593, K0594, K0516, K0497, K0534, K0576, K0597 

Skills 

S0218, S0249, S0296, S0297, S0176, S0185, S0186, S0213, S0250, S0273, S0309, 
S0312, S0322, S0333, S0209, S0326, S0349 

Abilities 

A0066, A0070, A0075, A0089, A0085, A0082, A0074, A0067, A0068, A0077, 
A0081, A0090, A0094, A0096, A0098, AO 105 


Work Role ID 

CO-PL-003 

Category 

Collect and Operate (CO) 

Specialty Area 

Cyber Operational Planning (PL) 

Work Role Name 

Partner Integration Planner (333) 

Work Role 
Description 

Works to advance cooperation across organizational or national borders between 
cyber operations partners. Aids the integration of partner cyber teams by providing 
guidance, resources, and collaboration to develop best practices and facilitate 
organizational support for achieving objectives in integrated cyber actions. 

Tasks 

T0581, T0627, T0670, T0739, T0763, T0772, T0836, T0571, T0635, T0665, 

T0699, T0732, T0747, T0764, T0787, T0795, T0823, T0601, T0760, T0784, 

T0629, T0666, T0669, T0671, T0700, T0712, T0729, T0759, T0762, T0766, 

T0817, T0818, T0825, T0826 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, KOI73, K0431, K0417, K0444, 
K0395, K0435, K0392, K0348, K0377, K0362, K0370, K0436, K0379, K0403, 
K0465, K0507, K0598, K0511, K0414, K0350, K0374, K0400, K0408, K0411, 
K0422, K0432, K0455, K0501, K0504, K0506, K0508, K0512, K0514, K0538, 
K0585 

Skills 

S0218, S0249, S0296, S0297, S0185, S0186, S0213, S0250, S0326 

Abilities 

A0066, A0070, A0075, A0089, A0085, A0082, A0074, A0067, A0068, A0077, 
A0081, A0090, A0094, A0096, A0098, AO 105 


Work Role ID 

CO-OP-OOl 

Category 

Collect and Operate (CO) 

Specialty Area 

Cyber Operations (OP) 

Work Role Name 

Cyber Operator (321) 

Work Role 
Description 

Conducts collection, processing, and/or geolocation of systems in order to exploit, 
locate, and/or track targets of interest. Performs network navigation, tactical 
forensic analysis, and, when directed, executing on-net operations. 

Tasks 

T0566, T0567, T0598, T0609, T0610, T0612, T0616, T0618, T0619, T0620, 

T0623, T0643, T0644, T0664, T0677, T0696, T0697, T0724, T0740, T0756, 

T0768, T0774, T0796, T0804, T0828, T0829 
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Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0142, K0370, K0379, K0403, 
K0560, K0565, K0480, K0516, K0427, K0440, K0430, K0537, K0608, K0360, 
K0363, K0365, K0372, K0373, K0375, K0406, K0420, K0423, K0428, K0429, 
K0433, K0438, K0452, K0468, K0481, K0485, K0486, K0528, K0530, K0531, 
K0536, K0573, K0609 

Skills 

S0062, S0183, S0236, S0182, S0190, S0192, S0202, S0206, S0221, S0242, S0243, 
S0252, S0255, S0257, S0266, S0267, S0270, S0275, S0276, S0281, S0282, S0293, 
S0295, S0298, S0299 

Abilities 

A0095, A0097, A0099, AO 100 


Work Role ID 

IN-CI-001 

Category 

Investigate (IN) 

Specialty Area 

Cyber Investigation 

Work Role Name 

Cyber Crime Investigator (221) 

Work Role 
Description 

Identifies, collects, examines, and preserves evidence using controlled and 
documented analytical and investigative techniques. 

Tasks 

[Note: Several of these activities may only to be conducted by personnel with a 

Law Enforcement or Counter Intelligence Authority.] 


T0031, T0059, T0096, T0103, T0104, T0110, T0112, T0113, T0114, T0120, 

T0225, T0241, T0343, T0346, T0360, T0386, T0423, T0430, T0433, T0453, 

T0471, T0479, T0523 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0070, KOI 14, KOI 18, K0123, 
K0128, KOI44, K0168, K0231, K0244, K0251 

Skills 

S0047, S0068, S0072, S0086, S0165 

Abilities 

[None specified] 


Work Role ID 

IN-FO-001 

Category 

Investigate (IN) 

Specialty Area 

Digital Forensics (FO) 

Work Role Name 

Forensics Analyst (211) 

Work Role 
Description 

Conducts deep-dive investigations on computer-based crimes establishing 
documentary or physical evidence, to include digital media and logs associated 
with cyber intrusion incidents. 

Tasks 

T0067, T0076, T0096, T0115, T0146, T0484, T0220, T0235, T0273, T0297, 

T0398, T0401, T0403, T0411, T0425, T0421, T0424, T0440, T0482, T0490, 

T0507, T0274, T0059, T0541, T0558, T0078, T0427, T0402, T0419, T0420, 

T0542, T0308, T0447 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0017, K0021, K0042, K0060, 
K0070, K0077, K0078, K0099, K0109, KOI 17, KOI 18, KOI 19, K0122, K0123, 
K0125, K0128, K0131, K0132, K0133, K0134, K0145, K0155, K0156, K0167, 

KOI68, KOI79, K0182, K0183, K0184, K0185, K0186, K0187, K0188, K0189, 
K0305 

Skills 

S0032, S0046, S0047, S0062, S0065, S0067, S0068, S0069, S0071, S0073, S0074, 
S0075, S0087, S0088, S0089, S0090, S0091, S0092, S0093 

Abilities 

A0005 
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Work Role ID 

IN-FO-002 

Category 

Investigate (IN) 

Specialty Area 

Digital Forensics (FO) 

Work Role Name 

Cyber Defense Forensics Analyst (212) 

Work Role 

Analyzes digital evidence and investigates computer security incidents to derive 

Description 

useful information in support of system/network vulnerability mitigation. 

Tasks 

T0027, T0036, T0048, T0049, T0075, T0087, TO 103, T0113, TO 165, TO 167, 

T0168, T0172, T0173, T0175, T0179, T0182, T0190, T0212, T0216, T0240, 

T0241, T0253, T0279, T0285, T0286, T0287, T0288, T0289, T0312, T0396, 

T0397, T0398, T0399, T0400, T0401, T0432, T0532, T0543, T0546 

Knowledge 

K0001, K0002, K0003, K0004, K0005, K0006, K0018, K0021, K0042, K0060, 
K0070, K0077, K0078, K0099, KOI09, KOI 17, KOI 18, KOI 19, KOI22, KOI23, 
K0125, K0128, K0131, K0132, K0133, K0134, K0145, K0155, K0156, K0167, 

KOI68, KOI79, KOI82, KOI83, KOI84, KOI85, KOI86, KOI87, KOI88, KOI89, 
K0224, K0254, K0255, K0301, K0304, K0347 

Skills 

S0032, S0047, S0062, S0065, S0067, S0068, S0069, S0071, S0073, S0074, S0075, 
S0087, S0088, S0089, S0090, S0091, S0092, S0093, S0131, S0132, S0133 

Abilities 

A0005, A0043 
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Appendix C—Acronyms 


934 Selected acronyms and abbreviations used in this paper are defined below: 


API 

Application programming interface 

CAE 

CDS 

CIO 

CMMI 

CNSSI 

COMSEC 

COTR 

CSF 

CSIP 

DNS 

EISA 

FISMA 

FOIA 

HR 

IDS 

IP 

IPS 

IR 

IRT 

ISD 

ITL 

KSA 

LAN 

NCWF 

NICE 

OLA 

OMB 

OPM 

OS 

OSI 

P.L. 

PCI 

PHI 

PIA 

PII 

PKI 

R&D 

RFID 

RMF 

SA&A 

SDLC 

SLA 

Centers of Academic Excellence 

Cross-Domain Solutions 

Chief Information Officer 

Capability Maturity Model Integration 

Committee on National Security Systems Instruction 
Communications Security 

Contracting Officer's Technical Representative 
Cybersecurity Framework 

Cybersecurity Strategy and Implementation Plan 

Domain Name System 

Enterprise information security architecture 

Federal Information Security Modernization Act 

Freedom of Information Act 

Human Resource 

Intrusion detection system 

Internet Protocol 

Intrusion Prevention System 

Incident Response 

Incident Response Teams 

Instructional System Design 

Information Technology Laboratory 

Knowledge, skills, and abilities 

Local area network 

National Cybersecurity Workforce Framework 

National Initiative for Cybersecurity Education 
Operating-Level Agreement 

Office of Management and Budget 

Office of Personnel Management 

Operating system 

Open System Interconnection 

Public Law 

Payment Card Industry 

Personal Health Information 

Privacy Impact Assessments 

Personally Identifiable Information 

Public key infrastructure 

Research and Design 

Radio Frequency Identification 

Risk Management Framework 

Security Assessment and Authorization 

System development life cycle 

Service-Level Agreements 
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SOP 

Standard operating procedures 

SQL 

Structured query language 

TCP 

Transmission Control Protocol 

UP 

Tactics, techniques, and procedures 

URL 

Uniform Resource Locator 

VPN 

Virtual Private Network 

WAN 

Wide Area Network 
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